ClawHub

公众号自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses WeChat credentials to upload supplied article material and create a WeChat draft, with some operational caution needed around automation and secrets.

Install only if you intend to let the agent use your WeChat Official Account AppID/AppSecret to create drafts and upload selected media. Use explicit prompts, review title/digest/HTML/cover path before running, protect the .env file, and enable the cron example only if you deliberately want recurring automated draft creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell execution (`source ./scripts.sh`, `bash/curl/jq`) but does not declare corresponding permissions or execution requirements in a way that enables clear policy review. Undeclared code-execution capability increases the chance that a host agent runs shell commands without appropriate sandboxing, audit, or user awareness, which is risky because the commands process untrusted article content and local file paths and interact with external services.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documented trigger phrases are broad, generic publishing commands that can easily match ordinary user intent and cause this skill to activate unexpectedly. In a skill that publishes content to a WeChat public account draft box, accidental invocation can result in unintended external-side effects and unreviewed content being pushed into a real publishing workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly shows scheduled automatic execution with '不要提问,直接执行', enabling unattended draft publication without user confirmation at run time. Because this skill performs an external action against a real account, automation without approval or guardrails increases the risk of accidental, unauthorized, or prompt-induced publishing behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad natural-language intents such as '发布文章' and '推送到公众号', which can match routine publishing requests and cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because the skill performs external publication actions against a real WeChat account, potentially pushing unintended content to a draft workflow and exposing sensitive material.

Credential Access

High
Category
Privilege Escalation
Content
# 微信公众号草稿箱发布工具 - 辅助脚本
# 使用方法: source scripts.sh

# 通过环境变量提供(推荐:使用 .env + `set -a; source .env; set +a`)

require_cmd() {
    command -v "$1" >/dev/null 2>&1 || {
Confidence
80% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal