ClawHub

微信生态数据采集

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed WeChat data-query integration, but it also documents protected video download/decryption workflows and includes unrelated Douyin/Xiaohongshu routing material that should be reviewed before use.

Install only if you are comfortable sending WeChat search terms, article URLs, video identifiers, and related metadata to MaxHub/aconfig.cn using your API key. Avoid using the documented video URL, token, and decode_key workflow unless you have clear rights to access and decrypt that media, and treat the non-WeChat fallback paths as out of scope for this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a WeChat-only assistant, but it later includes Douyin/Xiaohongshu-specific paths and downgrade logic. This cross-platform instruction bleed can cause the agent to call unrelated APIs, mishandle user intent, or transmit queries to unintended endpoints, undermining least-privilege and increasing the chance of unsafe or unauthorized data access.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document makes a strong safety claim that all endpoints are legitimate read-only APIs for this skill, yet other sections describe non-WeChat platform endpoints. Misleading safety declarations can reduce operator scrutiny and cause the agent to trust instructions that exceed the advertised scope, which is especially risky in an adversarial prompt surface.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to reconstruct protected CDN URLs, download encrypted WeChat video files, and use returned decode keys with third-party tools to decrypt them. That materially expands the skill from metadata/query access into bypass-oriented media extraction guidance, which can facilitate unauthorized copying of protected content and misuse of sensitive decryption material.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This repeated guidance normalizes a workflow for extracting and decrypting media across homepage and related endpoints, making the capability operational rather than incidental. In a skill described as a WeChat data query assistant, these instructions are unjustified and increase the risk that users will use the skill to obtain protected media rather than just inspect public metadata.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The video-detail section provides an end-to-end decryption workflow for protected video content, including URL reconstruction and decode key use. Exposing that workflow in documentation makes it easier to misuse the service for content extraction and could contribute to unauthorized access or redistribution of media.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger phrases are extremely broad (e.g., '视频号,视频' and '公众号,文章') and overlap with normal user conversation, which can cause the skill to activate unintentionally. In a data-query skill that can search articles, videos, comments, and user content, accidental invocation may send unintended queries to external services, leak conversational context, or confuse routing and user intent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The routing logic uses very broad trigger terms such as 'search', 'detail', 'analyze', and 'compare' without strong disambiguation. This can cause overbroad intent capture, making the agent invoke APIs for ambiguous requests or route users into data-query flows they did not explicitly request, increasing the risk of unintended external requests and data exposure.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Forcing all output to match a detected user language removes user choice and can conflict with platform language-preference requirements. While not a classic security bug, rigid language control can be used to override user intent or obscure safety disclosures if the language detection is wrong.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The output guidelines repeat a mandatory language-matching requirement based on inferred language rather than explicit user choice. Duplicating this instruction reinforces behavior that may suppress user preference and degrade transparency in safety-relevant responses.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation tells users to download encrypted video and decrypt it with third-party tools but gives no warning about authorization, legal restrictions, privacy implications, or supply-chain risk from external tools. That omission lowers the barrier to unsafe handling of protected media and key material.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The repeated instructions on downloading and decrypting media omit warnings about protected-content handling and external tool safety, increasing the chance of misuse or unsafe operationalization. Repetition across endpoints reinforces the behavior as accepted usage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Live replay content may carry heightened privacy and copyright sensitivity, yet the docs provide download/decryption steps without warning users about authorization, privacy, or external-tool risks. This can enable improper handling of replay media and associated decryption data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Search-result documentation enables users to move directly from search output to downloading and decrypting protected media, but omits warnings about content authorization and risks from third-party tools. This makes unsafe downstream use more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The composite search section repeats decryption guidance without any safety framing for sensitive media handling or third-party tooling. In aggregate, this creates a documented playbook for extracting protected content while suppressing risk awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The video-detail section describes downloading and decrypting media but does not disclose the legal, privacy, or security risks of using third-party tools or handling decode keys. That omission is especially problematic because this endpoint is the most direct path from identifier to protected media asset.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation states a third-party base URL and bearer-authenticated access but does not warn users that supplied article URLs, IDs, and related identifiers are sent to an external service. This creates a transparency and privacy risk because operators may unknowingly transmit sensitive research targets or internal investigation artifacts off-platform.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal