ClawHub

微信公众号发布

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill is mostly aligned with its stated purpose, but it gives an agent broad account-level publishing and draft-deletion power plus extra local record-writing behavior that needs review.

Install only if you intend to let this skill operate a WeChat public-account publishing workflow. Review each publish or delete command before it runs, consider removing or gating the delete and rebuild scripts, and be aware it may read/write local product-facts and article-tracking files in addition to publishing drafts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill expands from Markdown-to-WeChat publishing into external research, fact verification, and modification of a shared local knowledge base. This broadens authority far beyond the declared purpose, creating scope creep that can cause unintended data access, external network use, and writes to unrelated files when the user only asked to publish an article.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill includes operational analytics tracking and local record updates unrelated to the core act of publishing a WeChat article. That introduces unnecessary access to persistent local data stores and creates opportunities to alter business records or user metrics without a narrowly scoped authorization model.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Directing the agent to perform external web searches is not necessary for a publishing/formatting skill and expands the attack surface to network activity and prompt-injection exposure from searched content. In context, this is more dangerous because the skill frames such searches as mandatory and automatic when unfamiliar terms appear, rather than requiring separate user intent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs writing verified facts into a shared local facts file unrelated to WeChat publishing, which is an unauthorized side effect outside the declared function. This can pollute shared knowledge files, overwrite trusted references, and create persistence channels for incorrect or adversarial content gathered during browsing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Maintaining article performance tracking data is outside the stated publishing functionality and grants the skill unnecessary access to a local tracking database. In practice this can lead to unauthorized reads/writes of business metrics, accidental corruption of records, or misuse of contextual data not needed to publish content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs remote draft deletion immediately when given a media_id, with no confirmation prompt, dry-run mode, or explicit destructive-action warning. In an agent skill context, this increases the chance of accidental or prompt-induced deletion of公众号 content, causing integrity loss and operational disruption.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal