ClawHub

wacai-index-official-website-demand-change

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can publish repository changes and send project details to a built-in Enterprise WeChat webhook without a separate approval step.

Install only if you intend to let this skill modify a specified repository, commit all pending changes, push to the selected branch, and send repository metadata to Enterprise WeChat. Replace or remove the bundled webhook key, use a safe feature branch, and require a human diff review before running the commit-and-push step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly exercises sensitive capabilities including shell execution, filesystem read/write, network access, and likely environment access, yet it declares no permissions or trust boundaries. This hides the real blast radius from users and policy enforcement, making it easier for the skill to perform impactful actions such as modifying repositories, pushing code, or exfiltrating data via webhook without explicit consent controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior understates several impactful actions: sending data to a fixed external webhook, auto-generating and transmitting code change summaries, and creating the target project directory if it does not already exist. This mismatch prevents informed consent and can lead to unintended data disclosure or writes outside the user's intended repository context.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes a live WeCom webhook URL, which is effectively a secret-bearing endpoint embedded in source code. Anyone with access to the code can reuse the webhook to send unauthorized messages to the organization channel, spam it, or impersonate trusted automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is designed to automatically modify code, commit, push to a branch, and notify an external webhook, but it does not require an explicit user acknowledgement of these high-impact actions at execution time. In the context of a repository automation skill, this is especially dangerous because a single prompt can cause irreversible source-control and external-notification side effects.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
After a successful push, the script automatically invokes a notification program that sends repository metadata externally via a WeCom webhook, including project path, branch, commit reference, and possibly summary content. In an automation skill that accepts user-provided project paths and requirement text, this outbound transmission can leak sensitive internal metadata or change summaries without an explicit consent boundary or data minimization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs state-changing operations on a user-supplied project path by invoking branch preparation and writing the provided demand into the repository without any confirmation, dry-run mode, or explicit warning at the point of execution. In this skill’s context, the behavior is expected automation, but it still creates a real safety issue because a mistaken path, branch, or pasted input can immediately modify a repository and potentially cascade into later commit/push steps in the broader workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically transmits project path, branch, commit subject, and change-summary details to an external WeCom webhook, which can disclose internal repository metadata and potentially sensitive change context. In this skill, the risk is elevated because the tool is designed for one-click automated code modification and push workflows, so users may trigger outbound disclosure without meaningful review or explicit consent at send time.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal