ClawHub

Wechat Tutorial Editor Publisher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WeChat article publishing purpose, but it needs review because it stores and reads WeChat publishing credentials and personal profile data in unsafe, under-scoped ways.

Install only if you are comfortable giving the skill access to WeChat Official Account publishing credentials and local personal branding assets. Do not store AppSecret values in the skill assets directory or rely on MD5; use temporary environment variables or a real secret manager, review all Markdown and images before publishing, run the local server only when needed, and delete stored profile/QR/images when finished. Static scan was clean and VirusTotal was pending, so this Review verdict is based on artifact-backed credential, persistence, install, and local-server concerns rather than malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds the skill’s stated purpose: beyond article drafting/publishing, it runs a local server, collects and stores personal data, reads credentials from external files, and installs software. This scope expansion increases attack surface and makes it easier to normalize sensitive data handling and code execution that users may not expect from a writing assistant.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs storing WeChat AppId/AppSecret locally and later 'decrypting' them, which implies reversible secret retention. Persisting credentials in a skill directory greatly increases the chance of credential theft, accidental disclosure, or reuse by unrelated processes, especially without a secure secret store or access controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill can auto-install a global npm package and execute shell commands, which introduces supply-chain and arbitrary command execution risk beyond pure content generation. Even if intended for convenience, global installation and shell execution can modify the host environment and pull untrusted code from registries.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The template hardcodes an absolute local filesystem path to an image under a specific user's home directory. This leaks host-specific environment details and can cause the agent to access unintended local files outside the skill's intended article assets boundary, which is especially risky in an automated publishing workflow that may resolve and embed local content.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This page collects personal profile data, free-form self-introduction text, and an uploaded image/QR code, then submits it to a backend endpoint. For a skill whose stated purpose is tutorial drafting and WeChat article publishing, this data collection is not clearly necessary and creates avoidable privacy and data-handling risk, especially because QR codes can encode direct contact details or account linkage.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The form explicitly requests a personal WeChat QR code or profile image without showing a legitimate connection to drafting or publishing tutorial articles. Collecting identity-linked images or contact QR codes can expose users to privacy loss, unwanted contact, impersonation, or downstream misuse if the backend stores or republishes them.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script installs a global npm package at runtime if `wenyan` is missing, which expands the skill's behavior from publishing content to modifying the host environment and executing code fetched from an external registry. In an agent context this is risky because it introduces supply-chain exposure and unexpected system mutation without an explicit approval step.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script silently loads `WECHAT_APP_ID` and `WECHAT_APP_SECRET` from `$HOME/.openclaw/workspace/TOOLS.md`, causing it to consume credentials from a broad local secrets file rather than requiring narrowly scoped, explicit input. This increases the chance of unauthorized use of stored credentials and normalizes secret scraping from unrelated workspace files.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads secrets from a user-wide $HOME/.openclaw/workspace/TOOLS.md file and exports them into the current shell without any scoping, provenance check, or minimization. Although accessing WeChat credentials is related to publishing, pulling them from a broadly scoped shared file increases the attack surface and can unintentionally expose or normalize access to unrelated secrets stored in that file.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction to save AppId/AppSecret locally for future reuse, coupled with reversible recovery, omits any meaningful warning about secret persistence risk and promotes unsafe handling. This can directly compromise the user’s WeChat publishing account if the local file is accessed by other tools, malware, backups, or collaborators.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises automatic publication and image upload to external WeChat services without clearly warning that article text, images, and metadata will be transmitted off-host. In a workflow that also handles personal profile images and QR codes, that omission raises privacy and integrity concerns and may lead users to disclose more than intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs `npm install -g @wenyan-md/cli` automatically after detecting a missing dependency, without interactive confirmation or a prior mandatory consent flag. This can lead to unintended package installation and execution in environments where the user expected only a publish operation, increasing both supply-chain and persistence risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses and exports sensitive credentials with no prior warning, consent prompt, or dry-run notice, so users sourcing it may unknowingly load secrets from disk into their shell session. That behavior is risky because sourced environment variables become available to subsequent commands and child processes, increasing the chance of accidental disclosure or misuse.

Ssd 3

High
Confidence
95% confidence
Finding
The skill directs retention and reuse of personal profile data and credentials across sessions in local files, which creates unnecessary long-lived sensitive data stores. In this context, retaining nickname, bio, QR/personal images, and related publishing data increases the blast radius of local compromise and exceeds strict necessity for one-time article publishing.

Ssd 3

Critical
Confidence
100% confidence
Finding
This is a direct instruction to persist user AppId and AppSecret locally and recover them later via a reversible scheme mislabeled as md5 encryption. MD5 is not encryption and cannot safely support secret storage; the overall pattern strongly risks credential exposure and unauthorized account use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal