ClawHub

Wechat Article For Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for converting WeChat articles to Markdown, with expected web access and local file output but some dependency hygiene cautions.

Install this in a virtual environment, use a dedicated output directory, and pin or update dependencies before relying on it. Be aware it will fetch WeChat pages, may download a Camoufox browser, and can save Markdown/images/debug HTML locally under the chosen output path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly describes network access to fetch WeChat articles and local file writes for Markdown and image output, yet it declares no permissions. This mismatch can mislead users or hosting platforms about the tool's actual capabilities, reducing informed consent and weakening sandbox or policy enforcement.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The description explains conversion features but does not clearly warn users that article text and images are downloaded from the internet and written to local storage. This can cause unintended data storage, disk usage, and privacy surprises, especially in agent-driven environments where users may not see the full operational details.

Unpinned Dependencies

Low
Category
Supply Chain
Content
camoufox[geoip]
markdownify
beautifulsoup4
httpx
mcp
Confidence
95% confidence
Finding
markdownify

Unpinned Dependencies

Low
Category
Supply Chain
Content
camoufox[geoip]
markdownify
beautifulsoup4
httpx
mcp
Confidence
95% confidence
Finding
beautifulsoup4

Unpinned Dependencies

Low
Category
Supply Chain
Content
camoufox[geoip]
markdownify
beautifulsoup4
httpx
mcp
Confidence
98% confidence
Finding
httpx

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdownify
beautifulsoup4
httpx
mcp
Confidence
97% confidence
Finding
mcp

Known Vulnerable Dependency: markdownify — 1 advisory(ies): CVE-2025-46656 (markdownify allows large headline prefixes such as <h9999999>, which causes memo)

Low
Category
Supply Chain
Confidence
80% confidence
Finding
markdownify

Known Vulnerable Dependency: httpx — 2 advisory(ies): CVE-2021-41945 (Improper Input Validation in httpx); CVE-2021-41945 (Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `http)

Critical
Category
Supply Chain
Confidence
87% confidence
Finding
httpx

Known Vulnerable Dependency: mcp — 3 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to )

High
Category
Supply Chain
Confidence
92% confidence
Finding
mcp

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal