Back to skill

Security audit

Wechat Connect

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised WeChat setup, but it automatically installs remote code and makes persistent OpenClaw account/config changes without a strong consent boundary.

Install only if you trust this publisher and the npm package it pulls at runtime. Before use, understand that it can install external code, contact WeChat APIs, write a WeChat bot token under ~/.openclaw, enable an OpenClaw channel, update an allowlist, and restart the gateway. Prefer a version-pinned installer, close the local server after pairing, and know how to revoke or delete the stored token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata claims no command-line interaction is required, but the script automatically executes multiple privileged CLI operations including plugin installation, configuration changes, and service restart. This discrepancy is security-relevant because it causes materially broader system side effects than a user would reasonably expect from a QR-based pairing flow, increasing the chance of unauthorized package installation or host reconfiguration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code launches a detached shell-based restart of the OpenClaw gateway, which exceeds the narrow scope of displaying a QR code and pairing an account. Detached process execution reduces visibility and control for the user, and using shell mode expands risk if command arguments ever become variable or environment-influenced.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The server attempts to restrict file serving to /tmp using startsWith(BASE_DIR) after path.join, but this does not reliably prevent traversal because normalized paths like /tmp/../etc/passwd still begin with '/tmp'. Since the HTTP server exposes arbitrary file reads to local clients on port 8765, an attacker on the same host could request sensitive files outside /tmp.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples are broad and include fuzzy natural-language variants such as '装一下微信', which can cause the skill to activate on ambiguous user requests. In this skill's context, accidental activation is more dangerous because the documented workflow can auto-install software, open a local HTTP service, modify local config, and write account files without a strong confirmation boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly documents automatic package installation and later local file/config modification, but does not present a clear up-front warning or require explicit informed consent before making those system changes. This is especially risky here because the skill also normalizes ignoring a dangerous-code warning from the plugin, meaning a user could be led into installing and enabling a network-capable component with persistent configuration changes they did not clearly approve.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/start.mjs:59