ClawHub
Back to skill

Security audit

Wechat Article Parser Local

Security checks across malware telemetry and agentic risk

Overview

The basic WeChat parser is coherent, but the optional Feishu saver can automatically change table schema and delete rows without clear prior warning.

Use the local parser only if you just need article extraction. Before using the Feishu saver, review the script, use a dedicated low-privilege Feishu app and test table, back up important data, and disable or manually approve the automatic field creation and blank-row deletion logic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--max-chars", "5000"
        ]
        
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
83% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises executable capabilities including environment access, file writing, network access, and shell usage, but does not declare permissions or boundaries to the user. This creates a transparency and consent problem: users may trigger actions that access secrets, write local files, or make outbound requests without understanding the scope of what the skill can do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrowly scoped to parsing WeChat public-account articles, but the observed behavior includes broader URL handling, Feishu API operations, local persistence, and subprocess-based content retrieval/summarization. This mismatch is dangerous because it undermines informed consent and can conceal materially different data flows and execution paths, including external transmission and shell invocation.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims WeChat-article parsing, but the source-detection logic explicitly supports multiple unrelated platforms. This scope expansion increases the chance that the skill will fetch and process data users did not expect, weakening trust and policy alignment for a narrowly scoped agent skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script does more than save an article: it mutates Feishu table schema and deletes existing records during normal operation. In the context of a content-saving skill, destructive and administrative actions are unexpected and can cause data loss or unauthorized modification of user resources.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill invokes an external CLI to fetch web content even though the manifest describes a parser/saver workflow, not arbitrary tool execution. This increases attack surface through PATH hijacking, dependency confusion, and uncontrolled behavior of an external binary processing untrusted URLs.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README encourages saving parsed article content, including summaries and body text, to Feishu but does not clearly warn users that article data will be transmitted to a third-party SaaS platform. This can create an informed-consent and data-handling risk, especially if users process sensitive, private, or copyrighted material without realizing it leaves the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The save-to-Feishu feature implies that article URLs and extracted content may be sent to a third-party service, but the documentation does not clearly warn users about this transmission. That omission can lead to unintended disclosure of sensitive reading material, article contents, or metadata to external systems, especially in enterprise or regulated contexts.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script reads Feishu app credentials from environment variables and transmits them to obtain an access token without any user-facing disclosure. In an agent-skill context, undisclosed credential use is risky because users may not realize the skill is operating with privileged application access to external resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script fetches article content, uploads it to Feishu, and may delete table records, yet it provides no explicit warning or confirmation for these state-changing network actions. In a local agent skill, hidden destructive side effects materially increase risk of privacy leakage and accidental data loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal