ClawHub

Weibo Operations

Security checks across malware telemetry and agentic risk

Overview

This skill does automate Weibo as advertised, but it handles broad Chrome session data through a debuggable browser and can delete posts without extra confirmation.

Install only if you are comfortable giving this skill control of a logged-in Weibo browser. Prefer a dedicated Chrome profile used only for Weibo, avoid copying your normal Chrome profile, close the CDP browser after use, delete `/tmp/chrome-debug-profile`, and require your own explicit confirmation before any delete, post, repost, comment, or like action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill invokes shell commands (`bash scripts/start_chrome.sh`, `python3 scripts/weibo_ops.py`) but does not declare any permissions or capability boundaries. Undeclared shell capability is dangerous because it hides the true execution surface from reviewers and users, making it easier for the skill to launch local processes and manipulate browser state without explicit consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior extends beyond simple Weibo write operations: it copies the user's Chrome profile/login state into a temporary directory and starts Chrome with a remote debugging port and permissive origin settings. This materially increases the attack surface because authenticated browser data and CDP access can enable broader session hijacking, data exposure, or unintended control of the browser beyond the stated Weibo actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script clones a broad set of Chrome profile artifacts into a separate debugging profile, including cookies, saved login data, local/session storage, IndexedDB, and other persistent browser state. For a skill that only needs to perform Weibo write actions, duplicating the user's wider browser identity and session data is excessive and creates unnecessary exposure of authenticated sessions and sensitive local data if the temp profile is accessed, retained, or misused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive deletion actions, including `delete_all`, without an explicit warning that the action is irreversible or a requirement for strong confirmation. In context, this is more dangerous because the skill performs authenticated account actions on a live social-media account, so accidental invocation could cause permanent loss of user content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently copies highly sensitive Chrome state into a debug profile under /tmp without notifying the user that cookies, login databases, and browser storage are being duplicated. This reduces user awareness and informed consent around handling authenticated sessions and personal browsing artifacts, increasing the chance of accidental credential/session exposure or unauthorized reuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The `delete_all` path performs repeated irreversible deletions of Weibo posts with no explicit confirmation, dry-run, preview, or per-item authorization step. In an agent context, a mistaken invocation, prompt injection, or ambiguous user request could cause mass destructive account actions using the victim's already-authenticated browser session.

Missing User Warnings

High
Confidence
96% confidence
Finding
The single-delete action triggers permanent deletion of a selected post without a user-facing confirmation or verification that the intended post was targeted. Because the script drives a live logged-in browser by DOM heuristics and screen coordinates, UI changes or ambiguous indexing could delete the wrong content, making accidental destructive action likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal