ClawHub

Wechat Feige Formatter

Security checks across malware telemetry and agentic risk

Overview

This looks like a real WeChat article formatter, but it needs review because its file and image handling is broader and less clearly controlled than users may expect.

Review before installing. Use it only for WeChat/public-account article formatting, avoid running it on untrusted Markdown that contains image paths, and assume generated HTML may contain embedded local file contents if image embedding is used. Check the output before copying, publishing, or sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to read user-provided local files and write temporary Markdown/HTML outputs, but the metadata does not declare those filesystem capabilities. This mismatch weakens policy enforcement and user visibility, making it easier for the skill to access or persist local data without explicit review.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The formatter resolves attacker-controlled Markdown image paths and reads arbitrary local files from disk, then embeds their contents into the output HTML as base64. In an agent setting, untrusted article content can therefore cause local file disclosure of any readable file whose path is guessed and whose MIME type passes through, exposing sensitive workstation or server data inside the generated artifact.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation examples are broad, everyday phrases like '帮我排版这篇文章' and '优化我的 Markdown 文档', which can overlap with normal user requests and cause the skill to trigger when the user may not explicitly want this formatter. In an agent ecosystem, ambiguous trigger language can route user content into an unintended transformation pipeline, causing unexpected HTML generation, formatting changes, or data exposure to the wrong skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README states that OpenClaw will '自动检测匹配本 Skill' and shows an automatic workflow, but it does not clearly define the conditions under which the skill should or should not activate. This ambiguity increases the risk of unintended invocation on loosely related requests, especially because the skill performs AI-driven content rewriting before HTML conversion, which can materially alter user content.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are very broad (e.g. general requests to format content or generate HTML), so the skill may activate in situations beyond the user's intent. Over-broad activation is risky here because the workflow includes reading local files and transforming content, which could cause unintended file access or processing of sensitive material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that local images are embedded as base64 by default, but this data-handling behavior is not prominently disclosed as a warning in the description. Embedding local images can silently package sensitive visual data into the generated HTML, increasing the chance of accidental disclosure when the file is shared or pasted elsewhere.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal