ClawHub

WeChat Sender by dxx

Security checks across malware telemetry and agentic risk

Overview

This skill does send WeChat messages as advertised, but its real sending power is not tightly bound to the consent and contact-safety controls it claims.

Install only if you trust the local OpenClaw Gateway and intentionally want an agent to send WeChat messages. Require your workflow to confirm the exact recipient, message, and attachment before every send, and avoid using global authorization for group, scheduled, bulk, or file-sending actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module claims it ensures users explicitly authorize sending, but is_authorized() treats a recent global grant as sufficient for most operations and does not require per-action confirmation except for a narrow keyword-based 'dangerous' list. In a messaging/WeChat context, this can let later send actions proceed without explicit consent for the specific recipient or message, undermining the stated safety boundary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises very broad activation conditions for sending or pushing WeChat messages, which can cause an agent to invoke it for many ordinary user requests involving messaging or notifications. Because this skill performs an external side effect on a real communication channel, over-broad routing increases the chance of unauthorized, accidental, or socially engineered message sending.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends sensitive data including recipient identifiers, message text, and base64-encoded file contents to a local HTTP endpoint without transport protection or any explicit disclosure to the user. Even though the destination is localhost, plaintext HTTP still increases exposure to local interception, proxying, logging, or accidental forwarding by other components on the host, and the tool can also exfiltrate arbitrary local files when invoked with --image or --file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal