ClawHub

小程序国际化适配Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat mini-program internationalization skill; the sensitive examples need privacy care, but the artifacts do not show hidden or malicious behavior.

Install and run this only in a normal development sandbox, and pass the scanner only the mini-program project you intend to analyze. Review generated reports before sharing them. If you copy the login examples, remove the phone-number console log, keep SMS/email provider keys server-side, add rate limits and generic error handling, and make language-based UI differences transparent to users.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill recommends detecting user language and hiding product features for non-Chinese users without requiring explicit user choice, transparent disclosure, or a documented policy basis. This can create discriminatory or opaque behavior, and in security-sensitive or regulated contexts it may improperly gate functionality based on inferred locale, increasing compliance, trust, and abuse risks.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The i18n mapping coerces zh_TW to zh_CN, which removes user language choice and can cause incorrect locale-specific content, legal text, or consent wording to be shown. In an account, identity, or verification flow, forced locale fallback can mislead users and create compliance and trust risks even if it is not a classic code-execution issue.

External Transmission

Medium
Category
Data Exfiltration
Content
if (e.detail.errMsg === 'getPhoneNumber:ok') {
      const { code } = e.detail
      wx.request({
        url: 'https://api.yourapp.com/auth/phone',
        method: 'POST',
        data: { code },
        success(res) {
Confidence
88% confidence
Finding
https://api.yourapp.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const { selectedAreaCode, phoneNumber } = this.data
    const fullNumber = selectedAreaCode.code + phoneNumber
    wx.request({
      url: 'https://api.yourapp.com/sms/send',
      method: 'POST',
      data: { phone: fullNumber },
      success: () => {
Confidence
90% confidence
Finding
https://api.yourapp.com/

External Transmission

Medium
Category
Data Exfiltration
Content
async sendEmailCode() {
    if (!this.validateEmail()) return
    wx.request({
      url: 'https://api.yourapp.com/email/send-code',
      method: 'POST',
      data: { email: this.data.email },
      success: () => {
Confidence
87% confidence
Finding
https://api.yourapp.com/

External Transmission

Medium
Category
Data Exfiltration
Content
async verifyEmail() {
    wx.request({
      url: 'https://api.yourapp.com/email/verify',
      method: 'POST',
      data: { email: this.data.email, code: this.data.verifyCode },
      success(res) {
Confidence
89% confidence
Finding
https://api.yourapp.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal