ClawHub

微信公众号工具包

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing toolkit mostly matches its stated purpose, but it has review-worthy account-control, credential-handling, and deceptive rewrite risks.

Review this carefully before installing. Only use it with a WeChat account you control, prefer explicit WECHAT_APP_ID and WECHAT_APP_SECRET environment variables over TOOLS.md discovery, rotate credentials if they were exposed, avoid running delete or formal publish commands without a manual backup/review step, and do not use the rewrite workflow to disguise copied or AI-generated content as original. VirusTotal was still pending, so this Review verdict is based on artifact evidence rather than VT telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents use of shell commands, environment variables, and networked operations, but no explicit permission declaration or user-consent boundary is present. This increases the risk that an agent invokes powerful capabilities silently, especially where credentials and external publishing actions are involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description presents four broad modules, but the content also includes higher-risk capabilities such as deleting drafts/published articles, formal publication workflows, video/media upload handling, and mention of a local HTTP service/API. Understating destructive and remotely exposed behaviors can mislead users and orchestrators about trust level and required approvals.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script searches multiple hard-coded paths under the user's home directory and parses unrelated TOOLS.md files to recover WECHAT_APP_ID and WECHAT_APP_SECRET. This expands the tool's access to credentials outside its immediate execution context and can silently use secrets from other workspaces, increasing the risk of unintended credential harvesting or cross-project secret leakage.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script searches hard-coded workspace TOOLS.md files in the user's home directory and extracts WECHAT_APP_ID and WECHAT_APP_SECRET without an explicit prompt or consent flow. Even though publishing to WeChat legitimately requires credentials, silently harvesting secrets from unrelated local files creates unnecessary secret-discovery behavior and broadens access to credentials beyond the declared input surface.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script searches hard-coded workspace paths for TOOLS.md and extracts WECHAT_APP_ID and WECHAT_APP_SECRET, which is credential harvesting from files outside the explicitly provided input. That expands data access beyond the expected publish workflow and can silently consume secrets from unrelated workspaces or users on the same machine.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code automatically runs `pnpm install --frozen-lockfile` and `pnpm build` inside a bundled source tree, which executes package-manager lifecycle scripts and build code from vendored content. That creates a software supply-chain and arbitrary code execution risk on the host at runtime, especially because this behavior is triggered from the skill rather than being a clearly separated installation step.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Allowing fallback to a globally installed `wenyan` executable expands trust from the bundled tool to any binary found on the host `PATH`. A malicious or unexpected host-installed command could be invoked instead, leading to unintended code execution and behavior outside the skill's declared, reviewable contents.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The `serve` command starts an HTTP API server even though the skill is described as a content toolkit, not a network service. Exposing a listener materially increases attack surface and can enable unintended remote access to rendering/publishing functionality; the optional API key is not required, so the server may be started without authentication depending on deployment choices.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README documents commands that can publish, delete, and manage公众号 drafts and published content, but it does not clearly warn that these operations modify live account state and may irreversibly delete or publish content. In an agent-skill context, omission of explicit user-impact and confirmation guidance increases the risk of accidental destructive actions when an agent or user follows the instructions mechanically.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The skill explicitly promotes '洗稿', '降低查重率', '去掉 AI 味', and '原创改写', which indicates intent to disguise reused or AI-generated content and evade plagiarism or platform-detection mechanisms. In this content-publishing context, that is more dangerous because the toolkit also supports search, download, rewrite, and one-click republishment, enabling end-to-end large-scale content laundering.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill is scoped to common activities like searching, downloading, rewriting, and publishing WeChat articles without clear restrictions, making accidental or overbroad activation more likely. Because some actions can contact external services, process third-party content, or publish to a real account, vague activation materially raises operational risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger examples are short, natural-language phrases that overlap with everyday requests, especially for download and publish actions. This can cause the agent to invoke a high-capability skill when the user may only be asking a general question, increasing the chance of unintended network, filesystem, or account actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The rewrite triggers are broad and easy to match in ordinary conversation, while the module itself is oriented toward transforming content for publication. Overbroad activation is especially risky here because the skill encourages producing disguised derivative material that may then be published through connected account tooling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs users to configure credentials and run a one-click publishing flow to WeChat, but it does not clearly warn that article content, images, and metadata will be transmitted to an external platform. In a skill that automates publication, this omission can cause users to unknowingly send sensitive or proprietary content off-system, especially when local and network images are auto-uploaded.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script exposes destructive and irreversible operations such as draft deletion, published article deletion, and publication without any confirmation prompt, dry-run, or explicit warning gate. In an agent-driven or automated environment, a mistaken argument, prompt injection, or unintended invocation could immediately alter or remove production content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code reads sensitive WeChat credentials from local files with no user-facing notice before access, so users may not realize the tool is inspecting workspace files for secrets. This reduces transparency and can lead to unintended disclosure or normalization of unsafe secret-handling practices, especially in agent or automation contexts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The visible CLI/help text does not clearly disclose that the tool will read credentials from TOOLS.md files under fixed home-directory paths. This creates a transparency and consent problem: users may invoke publishing expecting only the provided markdown to be used, while the script silently inspects local files for secrets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes a WeChat access token to a persistent cache file under ~/.config/wenyan-md/token.json without clearly informing the user in the CLI interface. Persisting tokens increases exposure to local theft by other processes, accidental backup/sync leakage, or reuse beyond the current session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place WeChat credentials in a .env file and pass them into a container, but provides no guidance on secret hygiene such as excluding .env from version control, using least-privilege secrets storage, or avoiding leakage through logs and shared environments. In the context of a toolkit that publishes to a WeChat account, exposed app credentials could allow unauthorized API use and account abuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The server mode documentation exposes unauthenticated render and publish endpoints over the network and does not warn about authentication, TLS, access control, or privacy implications. Because the publish endpoint can act on behalf of a WeChat account and the render endpoint accepts user-controlled content, deploying this as documented could enable unauthorized publishing, service abuse, or content/data exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This helper sends article identifiers and other request data to a remotely configurable server, and the default endpoint is plain HTTP on localhost. In a skill that searches, downloads, rewrites, and publishes WeChat articles, these requests can carry sensitive content or administrative actions, and using unauthenticated/unencrypted transport or an unexpected server can expose data or enable manipulation.

Ssd 2

Medium
Confidence
97% confidence
Finding
The rewrite guidance explicitly aims to remove AI traces, lower duplication detection, and make copied or generated text appear original. In context, this facilitates plagiarism evasion, policy circumvention, and deceptive publication at scale, especially when paired with built-in search/download and publishing workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal