ClawHub

wewe-rss WeChat Export

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed feed exporter that downloads user-supplied WeChat/wewe-rss content and writes DOCX or ZIP outputs locally as expected.

Install this only if you intend to let it fetch the feed URL you provide, download embedded images from article content, and create local export files. Use a dedicated output directory, review files before sharing ZIP archives, and be aware that an existing ZIP at the same output path is replaced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises feed scraping, image localization, DOCX generation, and optional ZIP packaging, but does not clearly warn users that the skill performs network retrieval and writes potentially large amounts of content and archives to local storage. In an agent skill context, missing disclosure about external access and filesystem side effects can lead to unsafe execution in environments where users assume documentation-only or low-impact behavior.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill documents writing exported files into the current working directory and optionally generating zip archives, but it does not prominently warn users that running it will create local artifacts and packaged outputs. This can lead to accidental data sprawl, overwriting expectations, or unintended inclusion of sensitive exported content in archives, especially in automated or shared workspaces.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal