ClawHub

微信文章获取器

Security checks across malware telemetry and agentic risk

Overview

This WeChat article skill has useful, stated article-reading features, but it asks for and ships raw WeChat session cookies, uses them for authenticated backend requests, and includes an intentionally insecure anti-crawling HTTPS client.

Install only if you are comfortable with this skill using raw WeChat session cookies and making authenticated requests on your behalf. Do not use personal or production account cookies here; rotate any cookies exposed in scripts/skill.env, remove bundled secrets before use, and prefer a version that uses verified TLS, scoped official APIs, and clear per-action consent for authenticated requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This client intentionally disables both SNI and TLS certificate verification while advertising anti-crawling circumvention. That allows man-in-the-middle interception and makes the component suitable for covert access to sites that would otherwise block or identify automated traffic, which is inconsistent with a normal article-reading skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstrings and comments explicitly frame the HTTP client as an anti-crawling circumvention mechanism rather than a normal transport utility. In this skill context, that text is strong evidence the code was designed to evade remote defenses, increasing the likelihood of misuse and indicating the risky TLS behavior is deliberate rather than accidental.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads a local cookie file containing session/authentication material and automatically transmits it to a remote site. This can expose sensitive credentials, reuse a privileged browsing session without consent, and bypass access controls or anti-bot protections in a way users may not expect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script loads secrets from a local skill.env and later uses those credentials to perform authenticated WeChat operations that exceed simple public article reading. In the context of a skill advertised for reading/searching/summarizing articles, introducing hidden credential-backed access expands privilege and data access without clear user consent or necessity.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The compare command supports authenticated enumeration of accounts and article retrieval via account names or biz identifiers, which is broader than the declared purpose of reading and summarizing shared WeChat articles. This creates an unnecessary capability for bulk collection and profiling of account content using stored credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill loads a large set of persistent WeChat session cookies from skill.env and uses them to impersonate an authenticated user against backend endpoints. Embedding and operationalizing long-lived session material inside a reader/search skill creates credential exposure and privilege misuse risk far beyond basic article fetching.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code targets authenticated WeChat admin endpoints to enumerate account metadata and article inventories, which is materially broader than a simple reader/summarizer. In skill context, this increases danger because the capability is hidden behind a benign-seeming description and relies on privileged backend access that users may not expect.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs users to extract browser cookies from the WeChat admin interface and save them locally without prominent warnings about credential sensitivity, account takeover risk, or secure storage. Session cookies are authentication secrets; mishandling them can expose the user's WeChat admin account and permit unauthorized access to account data and actions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The function forwards caller-provided params and headers directly into outbound requests, which can expose user data or enable unauthorized header manipulation without transparency or guardrails. In combination with the custom raw-socket client and disabled TLS verification, this increases the risk of privacy leakage, SSRF-style abuse to arbitrary hosts, and misuse of sensitive headers such as cookies or authorization tokens.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The natural-language documentation repeatedly states that the client is built for anti-crawling bypass, which directly conflicts with the stated article-reading purpose. This makes the surrounding insecure transport choices more dangerous because they appear intentionally constructed to evade detection and access controls, not merely poorly implemented.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Reading a local cookie file and silently sending it in HTTP headers is a significant privacy and security issue. It can leak session tokens to remote services and make the skill act with a user's authenticated identity without notice or informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file silently loads credential material from skill.env at startup without any user-facing disclosure in this entrypoint. Hidden secret usage is risky because operators or users may trigger authenticated actions and external requests without realizing their credentials are being used.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
In the authenticated compare flows, user-provided account names or URLs are used to query WeChat services with a configured Cookie, but the script does not clearly warn that account/query data will be transmitted using that authenticated session. This can surprise users and may expose browsing, account-interest, or target-account information through privileged requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently transmits authentication cookies to remote WeChat endpoints without explicit user warning or consent. In a skill context, undisclosed use of authenticated session material is dangerous because it can surprise operators, leak account context, and normalize hidden credential-backed behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal