ClawHub

WeChat Publisher With WeMD Render

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill mostly does what it says, but it needs review because first use can fetch and run unpinned third-party build code and it can upload broad local file paths using stored WeChat credentials.

Install only if you are comfortable letting this skill use WeChat publisher credentials, upload local files referenced by article inputs, and run a first-use Node/GitHub build process. Keep article assets in a dedicated directory, review or pin the WeMD setup path before use, and require explicit confirmation before publishing, deleting, or uploading any unexpected local file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _install_npm() -> str | None:
    if NODE_MODULES.is_dir():
        return None
    r = subprocess.run(
        ["npm", "install", "--omit=dev", "--no-audit", "--no-fund"],
        cwd=str(WEMD_DIR), capture_output=True, text=True, timeout=120,
    )
Confidence
91% confidence
Finding
r = subprocess.run( ["npm", "install", "--omit=dev", "--no-audit", "--no-fund"], cwd=str(WEMD_DIR), capture_output=True, text=True, timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with tempfile.TemporaryDirectory() as tmpdir:
        tmp = Path(tmpdir)
        r = subprocess.run(
            ["git", "clone", "--depth", "1", WEMD_REPO, str(tmp / "WeMD")],
            capture_output=True, text=True, timeout=60,
        )
Confidence
95% confidence
Finding
r = subprocess.run( ["git", "clone", "--depth", "1", WEMD_REPO, str(tmp / "WeMD")], capture_output=True, text=True, timeout=60, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return f"git clone failed: {r.stderr.strip()[:300]}"

        core_dir = tmp / "WeMD" / "packages" / "core"
        r = subprocess.run(
            ["npm", "install", "--no-audit", "--no-fund"],
            cwd=str(core_dir), capture_output=True, text=True, timeout=120,
        )
Confidence
94% confidence
Finding
r = subprocess.run( ["npm", "install", "--no-audit", "--no-fund"], cwd=str(core_dir), capture_output=True, text=True, timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if r.returncode != 0:
            return f"core npm install failed: {r.stderr.strip()[:300]}"

        r = subprocess.run(
            ["npx", "--yes", "typescript", "--build"],
            cwd=str(core_dir), capture_output=True, text=True, timeout=60,
        )
Confidence
89% confidence
Finding
r = subprocess.run( ["npx", "--yes", "typescript", "--build"], cwd=str(core_dir), capture_output=True, text=True, timeout=60, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
        if r.returncode != 0:
            tsc_bin = core_dir / "node_modules" / ".bin" / "tsc"
            r = subprocess.run(
                [str(tsc_bin)] if tsc_bin.is_file() else ["npx", "tsc"],
                cwd=str(core_dir), capture_output=True, text=True, timeout=60,
            )
Confidence
90% confidence
Finding
r = subprocess.run( [str(tsc_bin)] if tsc_bin.is_file() else ["npx", "tsc"], cwd=str(core_dir), capture_output=True, text=True, timeout=60, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of shell, filesystem, environment, and network-capable scripts but declares no permissions, preventing informed policy enforcement and user review. In this context, the risk is amplified because the workflow includes dependency installation, local file access, image upload, and remote API interaction, all of which can materially affect the host and external accounts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description understates its effective behavior: beyond article publishing, it can install/build third-party tooling from a remote repository, persist and delete local theme files, and exposes destructive deletion capabilities. This mismatch is dangerous because operators may authorize the skill for a limited publishing use case while it performs broader supply-chain, local persistence, and destructive actions they did not expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The client exposes destructive operations for deleting drafts, published articles, and materials, but the skill metadata only describes creation, update, publishing, and querying capabilities. In an agent setting, undocumented destructive actions materially expand the tool's authority and increase the risk of accidental or unauthorized content deletion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Local image paths embedded in article HTML are automatically resolved and uploaded through a network helper, which can exfiltrate local files from the host if untrusted content controls img src values. In this skill context, article bodies may be agent- or user-supplied, so auto-uploading referenced files without an explicit allowlist or confirmation increases the risk of unintended disclosure of sensitive local data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup routine performs network access, package installation, repository cloning, and compilation automatically with no user-facing warning or confirmation. In an agent skill context, silent environment mutation is risky because users may not expect the skill to fetch and execute external code simply to render or publish content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script takes a user-specified local file path and uploads the file to WeChat as permanent material without any in-code confirmation, policy check, or warning that data is leaving the local environment. In an agentic workflow, that creates a real exfiltration risk if the agent is tricked into supplying sensitive files or if file paths are influenced by untrusted input.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code loads app credentials from environment variables and uses them to authenticate to the WeChat API without any user-visible disclosure or consent boundary. In an agent workflow, hidden use of privileged credentials can cause users to trigger actions under a publisher account they may not realize is being used.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The multipart upload helper reads arbitrary local files and transmits their raw contents to a remote WeChat API. In an agent environment, this is a sensitive exfiltration primitive because a user or prompt could cause unintended upload of local files beyond intended image assets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal