Back to skill

Security audit

微信 ClawBot 插件安装

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WeChat setup helper, but it can expose WeChat login QR data to a third-party QR image service.

Install only if you are comfortable with WeChat login QR contents being included in a URL handled by api.qrserver.com. A safer approach is to scan from a real terminal or use a local/offline QR renderer, and verify the npm package before running the @latest install command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill instructs users to patch a dependency so QR payloads are turned into URLs for a third-party QR generation service, which changes behavior beyond the stated installation/connect workflow and introduces external data exposure. Because the QR content likely contains authentication material for WeChat login, sending it to an external service can leak sensitive login tokens or session bootstrap data and enable account compromise.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script silently edits a dependency file in place and leaves a backup, which changes runtime behavior without any explicit confirmation, warning, or integrity check. In a setup skill, this is risky because it can surprise operators, complicate updates, and make later troubleshooting or rollback harder, even if the goal is functional rather than malicious.

Missing User Warnings

High
Confidence
98% confidence
Finding
The patch transforms QR content into a third-party URL at api.qrserver.com, which means the QR payload is disclosed to an external service. For WeChat login or device-link flows, QR contents may contain sensitive authentication or session bootstrap data, so exposing them can leak account-linking secrets and create privacy and account-takeover risk.

External Transmission

Medium
Category
Data Exfiltration
Content
sed -i '/var qrcode = new QRCode(-1, this.error);/c\
        // Patched: output image URL instead of ASCII\
        var encoded = encodeURIComponent(input);\
        var imageUrl = "https://api.qrserver.com/v1/create-qr-code/?size=400x400&data=" + encoded;\
        var output = "\\n📷 扫码链接(复制到浏览器打开或微信扫一扫):\\n" + imageUrl + "\\n";\
        if (cb) cb(output); else console.log(output);\
        return;\n' "$QR_MAIN"
Confidence
97% confidence
Finding
https://api.qrserver.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.