Back to skill

Security audit

通过微信控制openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a real WeChat-to-OpenClaw gateway, but its defaults give remote chat users too much control and expose chat data, images, and tokens without enough safeguards.

Install only in a controlled test environment unless you first harden it: switch the API endpoint and PUBLIC_URL to HTTPS, remove phrase-based self-whitelisting, restrict slash commands to a small allowlist, run OpenClaw with least-privilege tools, protect config.ini and logs, and add authentication/expiry/deletion for saved images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes substantial capabilities—reading environment secrets, writing configuration files, making network requests, and invoking shell commands—yet declares no explicit permissions. This creates a transparency and consent gap: operators may install or approve the skill without understanding it can exfiltrate secrets, modify local state, or execute external commands.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Incoming chat messages beginning with '/' are passed to OpenClawAdapter.command(), which builds a subprocess command from user-controlled tokens and executes the OpenClaw CLI with arbitrary subcommands. Although shell metacharacter injection is avoided by using an argument list, this still exposes powerful agent/CLI capabilities to remote chat users far beyond the gateway's stated routing and messaging role.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Any private sender can gain whitelist status simply by sending the fixed phrase '我是你的主人', after which the code persists their wxid into config.ini. This completely bypasses the intended private-chat access control and lets an unauthenticated remote user obtain ongoing access to the gateway's OpenClaw-backed functionality.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The application mounts the images directory as a public static path and later saves inbound images there, making user-submitted media web-accessible via PUBLIC_URL. In a messaging gateway context this creates an unnecessary confidentiality exposure because private images may be retained and shared through guessable URLs without access controls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
For image messages, the code rewrites user input into a prompt instructing OpenClaw to read either a local file path or a public URL. In a system that delegates to an external agent/CLI, this broadens the agent's operating scope from simple image forwarding to file/URL access behavior, increasing the risk of unintended local file exposure or network fetches depending on OpenClaw capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly says received images are saved, converted into a URL, and sent to OpenClaw for analysis, but provides no notice about retention, access control, consent, or third-party data handling. In a chat gateway handling potentially personal WeChat content, this creates a real privacy and data-exposure risk, especially if users send sensitive images.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The README states that initialization collects values such as WX_API_TOKEN and writes them to config.ini, but gives no warning about protecting that file or avoiding accidental disclosure. This is a genuine security weakness because API tokens stored in plaintext config files are commonly leaked through bad permissions, backups, or repository commits.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that sending a natural-language phrase in private chat automatically adds the sender to a whitelist, but it does not present this as a sensitive access-control change or require explicit confirmation. A guessable phrase can be replayed, forwarded, or socially engineered, allowing unintended parties to gain trusted access to the bot.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises image recognition and sending AI responses back through WeChat, which implies user messages and images may be transmitted to external services, but it provides no explicit privacy or data-handling warning. In a messaging gateway context, this can expose sensitive personal, group, or image content to third-party APIs or downstream processors without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The callback handler logs the full raw request body, which can include private message content, user identifiers, and embedded image data. Because logs are written to disk, this creates a durable plaintext record of sensitive chat data and increases breach impact if logs are accessed or forwarded.

Ssd 4

High
Confidence
98% confidence
Finding
The README describes a trust mechanism where sending the phrase '我是你的主人' automatically adds a user to a private-chat whitelist. This is an authentication bypass by design: any user who knows or guesses the phrase can self-enroll and gain access to privileged bot interaction, which is especially dangerous in a messaging gateway connected to agent and command capabilities.

Ssd 4

Medium
Confidence
96% confidence
Finding
Granting trusted-user access based on a simple onboarding phrase in private chat is a weak authentication mechanism. Because messaging content can be guessed, copied, or triggered by unauthorized users, this design can bypass intended access controls and expose the agent to untrusted inputs and actions.

Ssd 3

High
Confidence
99% confidence
Finding
A natural-language passphrase automatically grants privileged status by adding the sender to the whitelist with no prior authentication. In context, this is especially dangerous because that privileged status enables ongoing access to chat-triggered OpenClaw actions, including arbitrary CLI subcommands exposed elsewhere in the gateway.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. 微信 API 基础地址默认固定
当前默认使用:

`http://api.wechatapi.net/finder/v2/api`

一般不需要手动修改。
Confidence
98% confidence
Finding
http://api.wechatapi.net/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.