ClawHub

微信QQ自动发消息

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate WeChat/QQ automation purpose, but it can control live chat apps, save chat screenshots, and send messages with uneven confirmation and privacy guidance.

Install only if you are comfortable letting this skill control your desktop WeChat/QQ apps, clipboard, screenshots, and logged-in account. Test with low-risk contacts first, treat direct-send commands as capable of sending immediately, review/delete saved screenshots, and do not upload chat screenshots to external AI services unless you intentionally accept that privacy exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes local file storage and screenshot/OCR workflows that read from and write to user-accessible paths, but the skill has no declared permissions for file access. This creates a transparency and consent gap: users and policy engines may not understand that the skill can access local data, including screenshots of chat content that may contain sensitive information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code captures chat screenshots and writes them to a persistent directory under the user's home folder, which can expose sensitive conversation content beyond the immediate OCR task. In a messaging-assistant skill, chats commonly contain private or regulated data, and the manifest does not clearly disclose this retention behavior, increasing the privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises automated messaging and local screenshot saving but does not warn users about privacy, consent, or data-handling risks. In a tool that can capture chat content and send messages on a user's behalf, missing disclosure materially increases the chance of misuse, accidental data exposure, or operation without appropriate authorization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to send chat screenshots to external AI assistants/APIs for analysis, but it does not warn that screenshots may contain sensitive personal, business, or account information. In the context of a tool that captures WeChat/QQ conversations, this creates a real privacy and data-handling risk because users may unknowingly transmit third-party communications to external services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes using a script to automatically send replies, but it does not clearly warn about misdirected, unintended, or irreversible message transmission. Because this skill operates on live messaging platforms, an automated send function can cause immediate disclosure, impersonation, or reputational harm if the wrong chat is detected or the AI-generated reply is incorrect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill stores screenshots of live chats without an explicit warning or consent flow, despite those images likely containing sensitive personal or business communications. This increases the chance of accidental disclosure through local file access, backups, sync tools, or other software on the host.

Missing User Warnings

High
Confidence
98% confidence
Finding
The automation pastes content into a chat input and immediately presses Enter without a user confirmation step. In a GUI-automation context, focus mistakes, stale window detection, or misuse by another component can cause unintended messages to be sent to the wrong recipient, leading to privacy breaches, fraud, or reputational harm.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger pattern "给.*发消息" is very broad and can match many ordinary user requests to send a message, without clearly constraining activation to WeChat or QQ. In a skill that automates GUI input, screenshots, clipboard access, and message sending, overly broad activation increases the chance of unintended invocation and accidental message transmission or screen capture in the wrong context.

Vague Triggers

Low
Confidence
83% confidence
Finding
The trigger phrase "截图分析" is ambiguous because it does not clearly indicate that this skill will capture the screen for WeChat/QQ-related automation. Since the package metadata itself warns that screenshots are stored locally and may contain sensitive data, an ambiguous trigger can cause users to invoke screen capture functionality without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code captures a screenshot of the QQ chat area and automatically saves it to ~/.openclaw/workspace/screenshots before obtaining user confirmation or clearly warning that conversation content will be written to disk. Chat screenshots can contain sensitive personal, business, or group information, and persistent local storage increases exposure to unauthorized local access, backup/sync leakage, or later misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a QQ message immediately after GUI automation without any confirmation step, preview, or explicit user acknowledgment before the irreversible Enter keypress. In a messaging automation skill, this creates real risk of accidental delivery to the wrong contact or transmission of unintended content if window focus, search results, or arguments are incorrect.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The function overwrites the system clipboard contents to paste text and restores it afterward, but this happens without any user-facing warning or consent. This can leak or disrupt sensitive clipboard data, especially on shared systems or if restoration fails due to a crash, race condition, or concurrent clipboard use by another application.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends a message immediately by simulating Enter with no final user confirmation, making the action irreversible once triggered. In a GUI automation context, focus errors, wrong contact selection, or maliciously supplied input could cause unintended messages to be sent to the wrong recipient, creating privacy, reputational, or social-engineering risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function reads and overwrites the system clipboard, which may temporarily expose sensitive user data and can interfere with other applications. Even though it restores the previous clipboard content afterward, the script does so without warning or consent, and clipboard races or failures could leave sensitive contents altered or disclosed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The README encourages forwarding private chat screenshots and OCR-derived conversation content to an AI assistant for analysis and response generation. In this skill’s context, that is more dangerous than generic documentation because the targeted data source is private messaging content from WeChat/QQ, which often includes personal data, confidential discussions, and information belonging to other parties who have not consented to external processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal