Skillv1.0.0

ClawScan security

wechat-reply-ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 25, 2026, 9:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose (local Windows WeChat automation), but it starts a hidden local daemon, writes state/log files and image files to disk, manipulates the clipboard and screenshots, and has other surprising persistence and file-path behaviors from an untrusted/unknown source—review before running.
Guidance: This skill appears to do what it says (local Windows WeChat automation) but carries several practical risks you should consider before installing or running it from an unknown source: - Sensitive local access: it captures screenshots, reads and writes the clipboard, launches the WeChat executable, and writes log/state/image files to disk. These are necessary for GUI automation but can expose local data. - Persistent hidden daemon: you can start a background process (hidden) that listens on localhost and writes a state file with a token; this increases the persistent footprint and local attack surface. Inspect the state file location and contents before trusting it. - Hard-coded file paths: the code writes screenshots to an absolute path (e.g., D:\Backup\Documents\Playground\wechat_screen.png) — this is surprising and may overwrite files or fail on systems without that path. - Unknown provenance: no homepage/source repository is provided. Prefer code from a vetted author or run inside a disposable VM or sandbox. - Dependencies: the scripts require native Windows packages (uiautomation, pywinauto, pywin32, Pillow, rapidocr-onnxruntime). Some packages may download models or binaries; install these deliberately and inspect install steps. Practical next steps: 1) Review the complete scripts locally (you already have them) and search for any network calls, remote URLs, or obfuscation. The provided code appears local-only but double-check the truncated parts before running. 2) Run only after verifying file paths and changing hard-coded output paths to safe locations. 3) If you must run the daemon, inspect the generated wechat_assistant_state.json and ensure the token file is protected. Consider firewall/local policy controls to restrict access to the RPC port. 4) Prefer running in an isolated Windows VM or test account, and avoid running as administrator. If you are not comfortable inspecting or sandboxing, do not install from this unknown source.

Review Dimensions

Purpose & Capability: noteName/description match the included scripts: the code automates PC WeChat via UI automation, OCR, clipboard, screenshots, and can send messages and media. However there are surprising implementation choices (a hidden background daemon, hard-coded output path like D:\Backup\Documents\Playground\wechat_screen.png) that are not explicitly called out in the description and may be unexpected to users.
Instruction Scope: noteSKILL.md instructs the agent to run the provided scripts (read/send/daemon). The runtime instructions and code will capture screenshots, read and set clipboard contents, search windows, launch the WeChat EXE, and write logs/state files. Those actions are within the stated purpose but are sensitive (screen/clipboard/file I/O and launching processes) and should be understood before use.
Install Mechanism: okThere is no install spec (instruction-only with bundled scripts), so nothing is downloaded or extracted by the registry installer. Dependencies are declared in references but not installed automatically; risk is limited to running the included Python scripts and any third-party packages they import.
Credentials: noteThe skill does not request environment variables or external credentials, which is appropriate. However the code legitimately accesses local sensitive resources (clipboard, screenshots, filesystem, ability to launch processes). Those accesses are proportional to GUI automation tasks but still sensitive and should be expected.
Persistence & Privilege: concernThe daemon can be started as a hidden background process (powershell Start-Process with -WindowStyle Hidden), writes a state file containing host/port/token, and serves an RPC endpoint on 127.0.0.1. This creates a long-lived local service and a local token that other local processes could potentially read. While not labeled 'always', this persistent hidden daemon increases attack surface and merits caution.