ClawHub

Npy

Security checks across malware telemetry and agentic risk

Overview

This companion-builder is disclosed as using chat imports, but it includes high-impact WeChat/iMessage decryption, secret recovery, and persistent local skill changes that users should review carefully.

Install only if you intentionally want a skill that can recover WeChat database keys, decrypt and parse local chat histories, read iMessage data, infer relationship traits, and store generated persona state on disk. Prefer sanitized plaintext exports you are authorized to use, avoid importing other people's conversations without consent, review generated files and global links, and delete decrypted databases when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (46)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""通过 lldb 读取微信进程内存提取密钥"""
    try:
        # 简化的 lldb 调用
        result = subprocess.run(
            ["lldb", "-p", str(pid), "-o", "memory read --force --outfile /tmp/wechat_mem.bin 0x0 0x100000000", "-o", "quit"],
            capture_output=True, text=True, timeout=30,
        )
Confidence
95% confidence
Finding
result = subprocess.run( ["lldb", "-p", str(pid), "-o", "memory read --force --outfile /tmp/wechat_mem.bin 0x0 0x100000000", "-o", "quit"], capture_output=True, text=Tr

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _extract_key_macos_keychain() -> str | None:
    """尝试从 macOS Keychain 获取微信密钥"""
    try:
        result = subprocess.run(
            ["security", "find-generic-password", "-s", "com.tencent.xinWeChat", "-w"],
            capture_output=True, text=True, timeout=5,
        )
Confidence
89% confidence
Finding
result = subprocess.run( ["security", "find-generic-password", "-s", "com.tencent.xinWeChat", "-w"], capture_output=True, text=True, timeout=5, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads local files and databases, writes persistent files, and references environment variables, yet declares no permissions or trust boundary. This creates a transparency and consent failure: users and the host agent cannot accurately assess the skill's real access level before it handles sensitive local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The advertised purpose is an AI companion builder, but the skill also performs chat database decryption, message extraction, contact enumeration, persistent archival, and filesystem mutation. That mismatch is dangerous because users may grant trust for a benign emotional-support workflow without realizing it includes invasive data access and destructive local operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Decrypting and extracting WeChat/iMessage databases is a materially sensitive capability unrelated to a simple companion-building interface unless it is very clearly disclosed and consented to. In this context, it enables access to highly private third-party communications, potentially exposing intimate content from people who never consented to processing.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Including WeChat database decryption capability substantially expands the attack surface from persona creation to credential/key extraction and access to protected local message stores. Because the manifest does not justify this capability, users are likely to underestimate the privacy and security implications.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill can remove generated skills and global entries, which is a destructive filesystem capability beyond its stated emotional-companion purpose. Even with a confirmation prompt, tying deletion commands to user-provided slugs without strict validation increases the risk of unintended or broader data loss.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The intake flow expands a companion-creation skill into instructions for decrypting and ingesting real WeChat chat databases, which introduces unauthorized access and large-scale processing of private communications. This is dangerous because it operationalizes collection of sensitive third-party data unrelated to the minimum functionality needed to build a fictional companion persona.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The prompt explicitly guides users to extract a WeChat database key from process memory and use it to decrypt message stores. That materially facilitates credential/key extraction and access to protected communications, crossing from benign app functionality into offensive privacy-invasive behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The tool is capable of extracting and processing private WeChat and iMessage histories, including intimate communications, which is materially broader and more privacy-invasive than the advertised AI companion purpose. In this skill context, that mismatch is especially dangerous because users may not expect bulk access to historical conversations and sensitive relationship data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code enumerates contacts from local chat databases and supports targeted extraction of conversations, enabling bulk discovery and collection of sensitive personal communications. In an AI companion skill, this capability increases the risk of covert profiling or overcollection because it is not clearly necessary for the stated feature set.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The classification logic infers sensitive relationship dynamics such as conflicts and 'sweet moments' from private chats. This is privacy-sensitive behavioral profiling, and in the context of a companion skill it is more dangerous because it enables intimate inference beyond generic messaging assistance.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The tool is presented as a companion-skill builder, but it also installs symlinks or copies into global Claude/OpenClaw skill directories. That broadens its effect from local content generation to environment-wide registration, which can unexpectedly expose generated skills to other contexts and increase persistence/scope beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The delete flow recursively removes the selected skill directory and then cleans up global links, giving the script destructive capabilities beyond simple companion generation. If base_dir or slug resolution is influenced by environment or operator error, this can delete unintended data and remove skills from shared/global locations.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code inspects environment variables, current working directory ancestry, and home-directory global skill paths to discover locations it can manipulate. This increases the blast radius of the tool and can cause it to operate on external or shared directories that are unrelated to the immediate companion-building task.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The tool creates or overwrites entries in global Claude/OpenClaw skill directories, deleting existing paths first and falling back to full directory copies if symlinks fail. This can overwrite preexisting content, create persistent artifacts in shared/global locations, and make generated skills active outside the original workspace.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file's functionality centers on decrypting WeChat databases and extracting chat records, which materially conflicts with the manifest's description of an AI companion skill. This mismatch is a strong indicator of hidden capability and increases the likelihood that the tool is designed to access private communications under misleading pretenses.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This code scans a live WeChat process's memory and extracts candidate database keys from WeChatWin.dll, enabling decryption of private message databases. In the context of a companion skill, this is an unjustified credential-access and privacy-invasive capability with direct potential to expose highly sensitive personal communications.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The macOS path combines debugger-based process memory access with Keychain retrieval to recover WeChat secrets, both of which are powerful secret-harvesting techniques. Because the declared skill purpose does not require such access, this context makes the behavior substantially more suspicious and dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes importing and decrypting private WeChat/iMessage chat histories to model a persona, but does not clearly warn about consent, third-party privacy, data minimization, retention, or secure local handling. This creates a real privacy/security risk because highly sensitive conversation content from other people may be processed without authorization and could be persisted into generated skills, logs, or backups.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow processes decrypted private message databases and extracted chat histories without any visible privacy notice, retention explanation, or consent language. That is dangerous because users may expose sensitive personal and third-party data without understanding what will be collected, analyzed, and stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs storing generated personas, relationship memories, and archived chats on disk, but the description does not warn users that imported chat material may persist under the skill directory. Silent retention increases the likelihood of sensitive content being left behind, copied, backed up, or later accessed by others.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The PRD explicitly defines storage for relationship memories, chat logs, and important moments in a local partner directory, but it does not pair that design with a prominent user-facing consent, retention, or sensitivity warning at the point of collection. In an emotionally intimate companion product, users are especially likely to disclose highly sensitive personal, sexual, mental-health, or relational information, so silent or under-emphasized persistence materially increases privacy risk if the device, repo, backups, or shared workspace are later accessed.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The risk section acknowledges privacy concerns and says data is stored locally and gitignored, but that is not a sufficient safeguard or a prominent warning to end users about retention and exposure. Local plaintext storage can still leak through backups, synced folders, multi-user machines, malware, or accidental sharing, and the companion/relationship context makes the captured data unusually intimate and therefore more harmful if disclosed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases for dissatisfaction and adjustment are broad enough to match ordinary conversation, which can cause the system to enter a high-priority adjustment flow without clear user intent. In this skill, that is security-relevant because adjustments are written into an 'Adjustment layer' with highest priority, so accidental or adversarial phrasing could overwrite behavior rules and cause persistent persona drift or unauthorized behavior changes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal