ClawHub

mmxagent-skill-wechat

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeChat account connection flow with real credential-handling risk, but its sensitive steps are purpose-aligned and require user action.

Install only if you intend to connect a personal WeChat account to OpenClaw and trust the npm packages and registry mirror used by the setup. Prefer the local QR file, avoid the optional CDN upload unless necessary, and do not run this on a shared machine because it writes a reusable bot token under ~/.openclaw.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly allows uploading a one-time WeChat login QR code to an external CDN, which exposes an active authentication artifact outside the local environment. Even if described as optional, this expands the trust boundary beyond the stated purpose of local account connection and could let unintended parties access or race to use the QR session.

Ssd 3

Medium
Confidence
98% confidence
Finding
Permitting exposure of a live authorization QR code through an external CDN can leak a valid login mechanism to anyone who obtains the URL during its validity window. Because the QR is effectively a bearer-style login artifact, publishing it externally materially increases account takeover risk.

Ssd 3

Medium
Confidence
88% confidence
Finding
Displaying account identifiers, base URL, user ID, and a token prefix in chat increases exposure of authentication metadata and can aid phishing, correlation, or credential handling mistakes. While a masked prefix is not a full secret, echoing credential-related fields in natural language broadens where sensitive data appears and may persist in logs or transcripts.

Ssd 3

Medium
Confidence
98% confidence
Finding
The optional online-link branch republishes the login QR code over the internet, turning a local authentication step into an externally reachable one. This makes interception, accidental sharing, and unauthorized scanning more likely, especially for a short-lived but high-value login token.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to present authentication-related fields back to the user in a conversational table before writing them, which can cause sensitive operational details to be stored in chat history, agent logs, or monitoring systems. In security-sensitive workflows, even partial token disclosure and identifier disclosure increase the attack surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal