ClawHub

微信聊天记录智能整理

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it asks for broad access to private WeChat data and local files without enough scoping or consent controls.

Install only if you are comfortable giving a third-party WeChat CLI and local scripts access to private WeChat history and possibly macOS Full Disk Access. Use narrow chat/date limits, review extracted content before saving, avoid broad exports, verify the wechat-cli package source, and treat Obsidian/calendar outputs as additional copies of sensitive messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read local WeChat data and write extracted content into Obsidian notes, but it declares no permissions or consent boundaries. In a skill handling private chats and local files, undeclared file read/write capability is dangerous because it obscures the true data-access scope and can lead to silent exfiltration, persistence, or modification of sensitive user data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The attachment helper recursively enumerates the user's entire local WeChat file store instead of limiting access to attachments tied to the requested chat or explicit extracted records. In a skill designed to process chat data, this broad local data access materially increases privacy exposure and could reveal unrelated sensitive files across all conversations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill description is broad enough that normal requests about reading chats, summarizing messages, storing notes, or creating reminders may trigger it without the user appreciating that sensitive local WeChat records and files will be accessed. In this context, overbroad invocation increases the chance of unintended activation of powerful local-data operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises reading local WeChat chat records and extracting structured information, but it does not prominently warn that this involves access to highly sensitive personal and business communications. Because chat history often contains credentials, financial details, private contacts, and confidential work content, missing upfront risk disclosure materially weakens informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Telling users to grant Full Disk Access is highly sensitive because it expands the effective reach of the tooling far beyond one application's data. Without strong warnings, least-privilege guidance, and justification, this can normalize excessive privileges and expose the user's broader filesystem to compromise if the tool or workflow is abused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to persist extracted chat content into Obsidian notes and calendar entries, but it does not clearly warn that this creates secondary copies of sensitive communications in other systems. That data multiplication increases exposure through sync services, backups, search indexing, shared vaults, and calendar sharing, making the privacy impact substantially worse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This reference file documents commands to read, search, and export WeChat conversations, including outputs to local files, but provides no privacy or consent guidance. In a skill specifically designed to extract chat content and store it into notes or reminders, omission of warnings increases the risk of over-collection, unintended disclosure of sensitive personal data, and unsafe downstream storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to grant Full Disk Access on macOS and run initialization with sudo, but do not explain the security and privacy implications of those elevated permissions. Because this skill processes private WeChat records, normalizing broad filesystem access and privileged setup without warnings can lead to excessive access, accidental exposure of unrelated data, or unsafe execution of a highly privileged tool.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
1. **隐私保护**:微信数据仅本地处理,不上传任何数据
2. **微信运行要求**:执行命令时微信需处于运行状态
3. **权限要求**:macOS 需授予「完全磁盘访问权限」
4. **首次使用**:先运行 `sudo wechat-cli init` 初始化
5. **Obsidian 路径检测**:**必须先检测 Obsidian vault 的实际路径**,不要假设为 `~/Obsidian/`
   - 读取 `~/Library/Application Support/obsidian/obsidian.json`
   - 解析 `vaults` 字段获取实际路径
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| 错误信息 | 解决方案 |
|---------|---------|
| "微信未运行" | 启动微信后重试 |
| "需要初始化" | 运行 `sudo wechat-cli init` |
| "权限被拒绝" | 检查终端是否具有完全磁盘访问权限 |
| "找不到联系人" | 使用 `wechat-cli sessions` 确认正确的联系人名称 |
Confidence
96% confidence
Finding
sudo

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal