ClawHub

多平台文章排版发布助手 (MPA)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but its setup asks users to run an unpinned remote shell installer before using a WeChat-publishing CLI.

Review the mpa project and installer before running it, prefer a pinned release or manually downloaded binary with checksum verification, and only configure WeChat credentials you are comfortable letting this CLI use to create drafts and upload article media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to execute a remote install script via curl piped directly to sh, which enables arbitrary code from a remote source to run immediately on the user's machine without inspection. In this skill's context, the instruction is framed as the first required setup step, making exploitation more dangerous because users are encouraged to trust and run it before using the tool.

External Script Fetching

Low
Category
Supply Chain
Content
## 🔧 前置要求 (依赖安装)
如果用户的终端中没有 `mpa` 命令,请**首先指导用户在终端中执行以下命令**安装底层依赖:
```bash
curl -fsSL https://raw.githubusercontent.com/shijianzhong/multi-platform-articles/main/scripts/install.sh | sh
```
*安装完成后,`mpa` 会自动配置在用户的 `~/.local/bin` 中。*
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/shijianzhong/multi-platform-articles/main/scripts/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
## 🔧 前置要求 (依赖安装)
如果用户的终端中没有 `mpa` 命令,请**首先指导用户在终端中执行以下命令**安装底层依赖:
```bash
curl -fsSL https://raw.githubusercontent.com/shijianzhong/multi-platform-articles/main/scripts/install.sh | sh
```
*安装完成后,`mpa` 会自动配置在用户的 `~/.local/bin` 中。*
Confidence
99% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal