ClawHub

Wechat Miniprogram Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat mini-program development toolkit, but several examples could lead users to mishandle payments, identifiers, credentials, releases, analytics, media, or Wi-Fi passwords if copied directly.

Install only if you will treat it as reference material rather than production-ready secure code. Before using generated payment, admin, CI/CD, analytics, messaging, content-review, live-stream, phone-number, upload, or hardware provisioning examples, add server-side authorization, secret-manager storage, consent/privacy notices, data minimization, encryption for credentials, audit logging, and manual approval before release or financial actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The self-evolution mechanism directs the agent to persist user feedback, errors, and uncovered needs into an error log outside the immediate task. This creates data-retention risk because runtime errors and user corrections often contain secrets, identifiers, code snippets, or business context that should not be stored by default.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document explicitly says openid/unionid should not be exposed in frontend code or logs, yet later examples log identifiers server-side and return openid to the client. This creates unnecessary identifier exposure, increases privacy risk, and can encourage developers to treat openid as a client-side session token or durable identifier.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented release flow says publishing should happen only after WeChat audit approval, but the provided `ci:release` script runs submit, query, and release sequentially with no approval gate or polling/wait logic. In a CI/CD context for mini-program deployment, this can cause an attempted premature release, bypass expected human/approval controls, and create unsafe or noncompliant deployment behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This example presents a dangerous authorization pattern: a privileged delete operation is protected only by a hardcoded shared secret supplied by the caller. In a developer guide, this is likely to be copied into production and can lead to privilege bypass if the key is leaked, guessed, logged, or extracted from client usage; the surrounding cloud-function context makes it more dangerous because the code runs with elevated database privileges and bypasses normal collection rules.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly states that merchant secrets must be stored in server-side environment variables, but the payment notification example hardcodes `MCH_KEY` in code. In a payment skill, readers commonly copy examples directly; embedding a payment secret in source code materially increases the risk of secret leakage through version control, logs, screenshots, or package distribution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation contract uses very broad trigger terms like '小程序', '登录', '支付', and 'TypeScript', which can match ordinary discussion and cause the skill to load in contexts the user did not intend. Over-broad auto-activation increases the chance that the agent follows this skill's file-reading, script-running, or logging behaviors unnecessarily.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The self-evolution trigger logs whenever users say vague phrases like '不对' or '错了', which are common in normal conversation. This can cause accidental persistence of arbitrary user text and error details, making benign feedback a data collection event without clear consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example sends a persistent identifier (`openid`) together with page and timestamp data to cloud functions without any notice, minimization, or discussion of consent and retention. Even in analytics code, combining stable identifiers with behavioral telemetry enables user tracking and profiling, which can create privacy and compliance risk if copied into production unchanged.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends automatic global tracking of page/app visibility events across all pages without warning about privacy impact or the need to limit what is collected. This pattern normalizes broad behavioral surveillance and may lead implementers to capture comprehensive usage data without consent, transparency, or filtering of sensitive contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The sample shows returning openid to the client and storing it locally without strong justification or warning. While openid is not a secret in the same sense as an access token, exposing and persisting it on the client enlarges the privacy footprint and can lead downstream developers to misuse it for authorization decisions or cross-component tracking.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The 'silent login' flow persists openid in local storage and treats it as part of login state, but the document does not sufficiently warn about privacy, lifecycle, and misuse risks. This can normalize long-lived client-side storage of identifiers and blur the boundary between WeChat session validity and app authentication state.

Missing User Warnings

High
Confidence
97% confidence
Finding
The phone number example processes highly sensitive personal data and even displays it in a toast, but lacks strong warnings about consent, minimization, masking, retention, and secure handling. In a login/auth skill, this is more dangerous because implementers are likely to copy the pattern directly into production identity flows.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
Enabling traceUser records user access data in the cloud console, but the guide does not mention privacy notice, consent, retention, or minimization requirements. In a documentation skill aimed at real-world app development, omission of these safeguards can lead developers to deploy user tracking without adequate disclosure or compliance controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The cloud function example returns OPENID, UNIONID, and APPID directly to the caller without warning that these are sensitive identity identifiers. In context, this is risky because developers may expose stable user identifiers to clients or logs unnecessarily, increasing privacy exposure, enabling user correlation across systems, and normalizing insecure handling of identity data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs developers to send user-generated text and images to cloud functions and moderation services, but it does not clearly require user-facing disclosure, consent, or data-handling transparency. In a content-safety context this transmission is expected, but absent notice can create privacy and compliance risk, especially when users may not realize their content is being transmitted off-device for scanning.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The local-image workflow temporarily uploads user files to cloud storage for scanning, then deletes them, but the documentation does not clearly warn that remote upload occurs at all. This is more sensitive than ordinary API use because users and implementers may assume local-only checking; undisclosed remote transfer can expose personal images to unexpected processing, retention, logging, or misconfiguration risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase `告诉 AI "查看这个 skill 的错误台账"` is a broad natural-language trigger that could be activated by ordinary user conversation rather than an explicit tool invocation. In an agent setting, this can cause unintended disclosure of internal skill state or reference material and creates prompt-surface ambiguity that attackers can exploit through indirect prompting.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation contract is overly broad and includes many generic terms such as location, device hardware, sensors, and scanning. In an agent setting, this can cause the hardware-focused skill to trigger on unrelated user requests, unnecessarily exposing sensitive guidance around BLE, NFC, Wi-Fi, and location workflows and increasing the chance of unsafe or unintended actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document provides a concrete example that collects and transmits a user's home Wi-Fi SSID and password to a local device over plain HTTP without prominent risk warnings or security requirements. Even on a local network or device hotspot, this normalizes insecure credential handling and could lead developers to copy a pattern that exposes highly sensitive secrets to interception, rogue access points, or unauthorized local devices.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide instructs developers to upload user video to cloud storage without any warning about consent, retention, access control, or sensitive-content handling. In a media workflow, this omission can lead to collection and storage of personal or biometric data without adequate notice or controls, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The TRTC examples enable camera and microphone streaming and joining rooms without prominently warning that audio/video data is being captured and transmitted. In a real app, this can result in developers implementing real-time communications flows without sufficient consent UX, disclosure, or safeguards for sensitive media streams.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation contract is very broad and matches generic terms like customer service, notifications, and user feedback. In an agent setting, this can cause the skill to activate on ordinary conversations and inject messaging/payment-oriented instructions into unrelated tasks, increasing the chance of unintended actions or data handling.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guidance includes refund and order-closing flows but does not clearly require authorization, operator confirmation, or role checks before invoking these destructive operations. In a payments context, omission of such safeguards can lead implementers to expose sensitive actions through callable functions or admin tooling without adequate approval controls, causing unauthorized refunds, order cancellation, or business logic abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template performs automatic login and stores a persistent OpenID without any user-facing disclosure, consent flow, or data-retention explanation. In a mini-program context, silently collecting and retaining identifiers can violate privacy expectations and lead developers to ship non-compliant identity handling by default.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The upload helper provides a ready-made path for transmitting local files to cloud storage but does not warn about the sensitivity of user-selected files, acceptable sources, or required authorization checks. In a toolkit skill, this omission can normalize unsafe handling of personal or confidential content and increase the chance of accidental over-collection or improper uploads.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal