ClawHub

WeChat Tietu Draft

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to create WeChat drafts, but it needs Review because it can control a logged-in account, force-kill local processes on a port, and leave sensitive WeChat session details in local files.

Install only if you are comfortable giving it temporary control of a logged-in WeChat Official Account session. Use a dedicated Chrome profile and port, avoid shared machines, review the draft before publishing, and delete generated logs, screenshots, and temporary Chrome profile directories after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _chrome_kill_port_pids(port=DEFAULT_CDP_PORT):
    """释放调试端口(macOS/Linux:lsof + kill)。"""
    try:
        r = subprocess.run(
            ["lsof", "-ti", f":{port}"],
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
r = subprocess.run( ["lsof", "-ti", f":{port}"], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False
        for pid in r.stdout.strip().split():
            try:
                subprocess.run(["kill", "-9", pid], capture_output=True, timeout=2)
            except Exception:
                pass
        time.sleep(2)
Confidence
97% confidence
Finding
subprocess.run(["kill", "-9", pid], capture_output=True, timeout=2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents capabilities to read/write local files, launch and control Chrome via CDP, access network resources, inspect environment state, and invoke shell commands, but it does not declare permissions or present them clearly as explicit permissions. This creates a transparency and governance gap: users or orchestrators may invoke a powerful skill without understanding its real authority, increasing the risk of unintended browser control, local artifact creation, or misuse in broader automation contexts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script globally removes proxy-related environment variables at startup for the entire process and all child operations, changing network behavior without consent. In an enterprise or monitored environment, this can bypass expected routing, logging, or security controls and make downstream behavior less predictable.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "贴图草稿" is overly broad and can plausibly appear in normal conversation, causing accidental activation of a skill that can start Chrome, manipulate a logged-in WeChat Official Accounts session, and write local files. Because the skill performs side-effecting actions, ambiguous invocation raises the risk of unintended browser automation and unauthorized draft creation from casual discussion rather than deliberate user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation list again includes the ambiguous short phrase "贴图草稿" without context guards or exclusion rules. In a chat environment, this can lead to false activations of a privileged automation skill, making unintended access to an authenticated公众号 session more likely and increasing the chance of accidental content operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states behavior that includes automatically launching Chrome, controlling the browser through CDP, capturing a login screenshot, and writing local log/screenshot files, but it does not present these side effects as a clear up-front warning in the skill description. This weakens informed consent and can expose sensitive account context or local data artifacts unexpectedly, especially because screenshots and logs may contain session-related or account-identifying information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently strips proxy/VPN-related variables before performing networked browser automation and launching child processes. That undermines user expectations and may unintentionally bypass organizational network policy or break security monitoring.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script captures a full browser screenshot from a WeChat-related tab and writes it to disk automatically, potentially including QR codes, account information, messages, or other sensitive browser content. In this skill context, screenshots of an authenticated publisher console can expose sensitive operational data to local users, backup systems, or other tools.

Missing User Warnings

High
Confidence
98% confidence
Finding
The function force-kills whatever process is listening on the configured port, with no user confirmation and no check that it belongs to Chrome. Because the port is configurable, this can disrupt arbitrary local services and is especially risky in shared developer environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal