ClawHub

wechat-auto-reply-skill-v5

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says at a high level, but it persistently watches private WeChat chats and can send messages as the user without strong consent and safety limits.

Install only if you are comfortable granting screen-capture and input-control permissions and allowing automated WeChat replies. Use it only for low-risk contacts, keep unrelated sensitive content off screen, avoid the Windows npx fallback by installing PeekabooWin at a verified path, watch initial runs, and stop both the monitor and recurring automation when finished.

Publisher note

20260516:微信窗口必须保持可见(不能最小化到任务栏) 联系人名称要和微信显示的完全一致 回复延迟约 10-15 分钟(含 10 分钟智能等待:如果你已经手动回复了,AI 就不再重复) 每次回复消耗约 ¥0.007-0.1

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--output", path]

        try:
            r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
            if r.returncode != 0:
                print(f"  PeekabooWin stderr: {r.stderr.strip()}", flush=True)
            return r.returncode == 0
Confidence
79% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly uses shell commands, environment variables, and file writes, yet does not declare these capabilities/permissions. That undermines least-privilege review and prevents users or the platform from understanding the true execution surface before enabling a privacy-sensitive automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest describes message monitoring and auto-reply, but the instructions also perform broader screen capture, dependency inspection, permission checks, and local persistence of screenshots and coordination data. In a messaging context, capturing full chat windows can expose unrelated conversation content and personal data beyond what users may reasonably expect from the description.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill sets up a recurring automation that continues inspecting chats and sending replies without per-message confirmation. Autonomous messaging in a personal chat application is high risk because it can misfire, impersonate the user, and continue operating after the original request context has ended.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Windows stop procedure uses Stop-Process -Name python -Force, which can terminate every Python process on the system rather than only this skill's monitor. That can disrupt unrelated applications, scripts, notebooks, or developer workflows and cause data loss or corruption.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents continuous screen capture of WeChat windows, writing message-detection state to temporary files, deleting those files, and automatically sending replies, but it does not clearly warn users about the privacy and data-handling implications. In this skill context, that omission matters because the automation processes personal communications and screenshots, which can expose sensitive content and cause unintended actions without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill monitors WeChat and captures screenshots of chat windows, but the user-facing description does not prominently warn that private conversations may be recorded and stored locally. In a messaging context, omission of this privacy warning increases the chance of uninformed consent and accidental exposure of sensitive personal or business data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The recurring automation can send messages on the user's behalf without confirming each reply, but this is not surfaced as a prominent warning in the skill description. For a chat platform, silent autonomous sending materially changes the trust model and can lead to reputational, privacy, or social harm if the automation responds incorrectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage documentation describes screenshot-based monitoring and later analysis of WeChat content, but it does not present this as an upfront privacy warning or explicit consent requirement. Because the skill captures visible chat content from a messaging app, users may not fully understand that private messages and potentially unrelated on-screen data will be collected and analyzed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explains that the skill can generate and send replies on the user's behalf, but it does not clearly foreground this as a potentially consequential action affecting external communications. Auto-sending messages can create reputational, legal, or business risk if the user does not realize messages may be transmitted without a final manual review.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script continuously captures screenshots of the WeChat window, which can expose message content and other sensitive information without any explicit privacy notice, consent workflow, minimization, or retention controls. In the context of a messaging-monitoring skill, this materially increases privacy risk because the captured images may contain personal or confidential conversations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The documented trigger phrases are broad natural-language commands like “监控 mini 的微信” and variants, without clear boundary conditions, confirmation requirements, or exclusions. In an agent environment, this increases the risk of accidental activation or prompt-triggering by unrelated text, causing unintended monitoring and automated messaging actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
This section describes automatic screenshot capture, message analysis, reply generation, and message sending, but does not provide a clear privacy warning or informed-consent notice about collecting screen contents and transmitting message data to AI services. Because WeChat messages often contain sensitive personal or business information, the lack of explicit disclosure materially increases privacy, compliance, and data-handling risk.

Session Persistence

Medium
Category
Rogue Agent
Content
**macOS:**
```bash
nohup python3 scripts/wechat_monitor.py \
  --contact "联系人名称" \
  --interval 600 \
  --threshold 1000 \
Confidence
88% confidence
Finding
nohup

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal