ClawHub

Weixin Task Workbench

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a clear WeChat task manager, but its registry code can silently mix task data between account folders despite promising account isolation.

Review before installing. The session-management permissions are expected for this kind of task workbench, but the registry script should be changed so one WeChat/OpenClaw account cannot silently import, merge, or copy task records from another account. Also consider masking sessionKey and full registry paths in normal status output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The protocol explicitly says internal routing details such as `sessionKey` and implementation internals should not be proactively exposed, yet later defines a `任务状态` response that reveals a task session identifier and registry path. Exposing these internals can aid reconnaissance, leak account/contact-derived path structure, and increase the chance of cross-session confusion or misuse by users or downstream tools.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code automatically searches sibling account directories and restores/merges task registries across them, which breaks account isolation and can expose one account's task metadata to another without explicit user consent. In this skill's context, tasks may contain conversation summaries, titles, tags, and session routing keys, so cross-account recovery can cause privacy leakage, data confusion, and incorrect task routing between separate Weixin/OpenClaw identities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to return the bound `sessionKey` and registry path in normal `任务状态` output, even though the document elsewhere says implementation details should not be exposed unless explicitly requested. Leaking internal identifiers and storage paths can aid session hijacking attempts, troubleshooting abuse, user enumeration, or disclosure of backend structure to untrusted chat participants.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting template directly instructs the assistant to disclose an internal session identifier and storage location in plain responses. Even if not immediately exploitable on its own, this unnecessarily exposes implementation details that can help an attacker map system structure, infer tenant/account naming, and craft more targeted follow-on prompts or attacks.

Ssd 3

Medium
Confidence
95% confidence
Finding
The diagnostic status template normalizes disclosure of sensitive operational details—specifically a task session identifier and the backing registry path—to any user invoking the status command. This creates an unnecessary information disclosure channel that weakens isolation assumptions and may expose personally identifying account/peer structure embedded in paths.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal