ClawHub

wechat-pack

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent WeChat document packager, but crafted inputs can make it fetch arbitrary URLs or copy local files into the generated publish folder.

Use this only on documents and cover URLs you trust. Before sharing or publishing the generated folder, inspect the assets and cover directories, because a crafted document can trigger outbound network requests or place local files referenced by image tags into the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes and implicitly authorizes capabilities including local file reads/writes, shell execution via `pandoc`, and network access for downloading images/covers, but no explicit permissions are declared. This creates a real trust and containment problem: consumers may invoke the skill expecting a simple local formatter while it can access the filesystem, execute external programs, and fetch remote content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose understates materially relevant behavior: the skill accepts HTML, downloads remote resources, processes inline base64 images, fetches remote cover images, and generates additional derivative files and metadata. This matters because users may provide untrusted documents thinking the tool is a local-only converter, while the actual behavior expands the attack surface to SSRF-like network access, unexpected data ingestion, and broader filesystem writes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill fetches remote image URLs embedded in input HTML/Markdown and stores them locally, creating outbound network access that is broader than a 'local document packaging' workflow suggests. This can leak user IP/environment metadata, enable SSRF against internal resources if attacker-controlled content is processed, and cause the tool to retrieve untrusted content unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code path performs arbitrary URL downloads via urllib based on document content, which exceeds a purely local conversion role and introduces remote fetch behavior. In hostile inputs, this can be abused for SSRF-like access attempts, tracking, or pulling malicious/unexpected payloads into the generated package.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Remote asset downloads occur automatically when the input contains HTTP(S) image sources, without explicit user confirmation or warning about outbound requests. This is dangerous because users may expect local-only processing, while attacker-supplied content can trigger unexpected network activity and privacy leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The --cover option accepts remote URLs and downloads them directly, causing outbound traffic based on user-supplied input without prominent disclosure. While user-supplied, this still creates a privacy and SSRF surface, especially in automated or agent-driven environments where the caller may not realize network access will occur.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal