ClawHub

WeChat MP Reader

Security checks across malware telemetry and agentic risk

Overview

The skill is built for WeChat article extraction, but it can obtain and persist logged-in WeChat MP backend session credentials in local files.

Review before installing. Public article extraction is the lower-risk use. Only scan the QR code or provide WECHAT_MP_COOKIE/WECHAT_MP_TOKEN if you trust the publisher and runtime, prefer a low-risk WeChat MP account, and delete scripts/cache/session.json and login-state artifacts when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The handoff explicitly states the skill supports 'managing WeChat MP backend session state,' which expands the capability from passive article retrieval into authenticated account-session handling. Session management increases the trust boundary and can expose or misuse authenticated state if the skill is invoked in unintended contexts or if session artifacts are stored insecurely.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation says QR login can obtain a fresh MP backend session, indicating the skill can drive acquisition of authenticated access rather than only read public article content. That makes the skill capable of handling credentials/session tokens, which raises the risk of unauthorized account access, token leakage, or overbroad use beyond the advertised reader purpose.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The listed session helper modules and backend-session components show the skill is designed to maintain authenticated state as part of its normal operation. For a reader/archive skill, this is more dangerous because it introduces account-session persistence and helper code that could be abused to access backend-only data or to retain sensitive session credentials longer than necessary.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements session inspection, persistence, and QR-login flows in addition to article retrieval. For a reader/extractor skill, collecting and managing authenticated WeChat MP backend credentials expands the privilege boundary and increases the chance of credential misuse or unintended access to private backend capabilities.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The QR login flow is used to obtain fresh WeChat MP session credentials, which goes beyond passive article reading and enables authenticated backend access. If triggered unexpectedly or exposed through an agent, it could harvest or refresh privileged session material and then be used to search accounts or enumerate article history under the logged-in operator's authority.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code saves WeChat MP session cookie/token material to disk, creating a durable credential artifact. Persisted sessions are vulnerable to accidental disclosure, reuse by other local processes, or later exfiltration, especially if file permissions and lifecycle controls are weak or undocumented.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
On successful QR login, the code extracts the authenticated WeChat token and full cookie string, then persists them via save_session_file. This creates a reusable authenticated session artifact that can enable account access beyond the skill’s stated article-reading purpose, and if the file is exposed or reused improperly it could allow unauthorized use of the user’s WeChat MP session.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code implements an end-to-end account-authentication flow: polling login state, finalizing login, extracting token/cookies, and saving the resulting session. In the context of a skill described as fetching public WeChat articles, this is over-privileged functionality that materially increases abuse potential by enabling authenticated account access rather than public-content retrieval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage guide explicitly instructs users to initiate QR-code login, save session state, and manage a logged-in WeChat MP backend session, but it does not warn about the sensitivity of cookies/tokens, local persistence risks, or the privacy implications of operating with an authenticated publisher account. In an agent setting, this can normalize storing long-lived authenticated sessions that could be exfiltrated, reused, or accidentally exposed through logs, screenshots, cache files, or other tooling around the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Session credentials can be persisted without any visible user-facing warning or consent step in this file. Silent storage of authentication material is risky because users may not realize sensitive cookies and tokens are being retained for future authenticated access.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code writes login state to a predictable cache path and stores the QR login image on disk without any visible disclosure or controls. Even before full authentication, this creates sensitive local artifacts that may reveal login workflow details or be accessed by other local users/processes in shared environments.

Missing User Warnings

High
Confidence
95% confidence
Finding
The code converts the session cookie jar into a serializable structure and stores it in login-state.json, preserving authentication-related state on disk without user-facing warning. Disk persistence of session material increases the chance of credential theft, session replay, or unintended reuse by other components or users on the system.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal