ClawHub

微信公众号文章抓取

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed WeChat article scraper, but it gives locally stored article data and user-supplied keywords too much control over browser navigation and file output paths.

Review before installing. Use it only for content you are allowed to scrape and store, keep keywords as simple filenames, inspect articles_new.json before running the fetch/report steps, and prefer a patched version that restricts URLs to expected HTTPS WeChat/Sogou domains, escapes report HTML fields, and forces all outputs to remain inside the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to read and write workspace files such as articles.json, articles_new.json, generated PDFs, and output directories, yet no permissions are declared. This creates a capability-transparency gap: users and any enforcement layer may not realize the skill persists scraped content locally, which can lead to unauthorized storage or overwrite of local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared behavior says the skill searches for article metadata and generates a report, but the workflow goes further by fetching full article bodies, visiting original links, and saving full-page PDFs locally. That mismatch is dangerous because it hides materially broader data collection, network access, and persistence than users would reasonably expect, increasing privacy, copyright, and local data exposure risks.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill description says it should collect article title, summary, publish date, and source account, but the code opens each article and stores the full body text in JSON. That expands collection beyond the declared scope and increases privacy, copyright, and data-handling risk, especially because article bodies may contain sensitive or proprietary content and are persisted locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs network scraping of Sogou WeChat search results and fetches third-party article pages, but the description does not disclose these external requests or associated privacy/compliance implications. This is risky because user-supplied keywords and browsing activity are transmitted to external services, and the skill may interact with sites whose content or access rules impose additional restrictions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs network scraping of Sogou WeChat search results and fetches third-party article pages, but the description does not disclose these external requests or associated privacy/compliance implications. This is risky because user-supplied keywords and browsing activity are transmitted to external services, and the skill may interact with sites whose content or access rules impose additional restrictions.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script loads URLs from a local JSON file and visits them with Playwright without validating origin, scheme, or destination, causing external network requests and active page rendering. In an agent context, this can be abused for SSRF-like access to internal services, unexpected requests to attacker-controlled hosts, and execution of untrusted page JavaScript in a browser context, especially because the skill description frames the action as a keyword search rather than arbitrary URL fetching.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists scraped content to ~/.openclaw/workspace/articles.json without any explicit notice, consent flow, retention control, or minimization. Silent local persistence increases the chance of unintended disclosure to other local processes, users, backups, or later workflows, especially because the file may contain full article text rather than just metadata.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal