ClawHub

WeChat2PDF

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised WeChat-to-PDF conversion, but it tries to force itself to run for any WeChat link regardless of the user’s intent.

Install this only if you want a tool that fetches WeChat articles and saves local PDF/Markdown/HTML copies. Do not let its routing text override your actual request; use it only when you explicitly ask to convert or archive an article. Prefer a chosen output folder, run it on trusted WeChat links, and review the unpinned Python/Playwright dependencies before installing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

High
Confidence
95% confidence
Finding
The skill metadata declares a mandatory routing rule that triggers solely on the presence of an mp.weixin.qq.com link, regardless of the user's actual request. This can override normal intent classification and force the agent to run a content-downloading workflow when the user may have only wanted summarization, safety review, or a different action.

Vague Triggers

High
Confidence
97% confidence
Finding
The README repeats a highest-priority instruction telling the agent to 'unconditionally' use this skill whenever a WeChat URL appears, even if the user included other requests. Because skill content is adversarial by default, this is a prompt-level attempt to bypass tool-selection safeguards and can coerce the agent into fetching, transforming, and storing remote content without clear consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description emphasizes bypassing anti-hotlinking, downloading images, and generating offline files, but does not warn that the skill will retrieve remote article content and store converted artifacts locally. That lack of disclosure undermines informed consent and can surprise users with network access, local persistence, and potential copyright/privacy implications.

Vague Triggers

High
Confidence
96% confidence
Finding
The description declares a mandatory trigger whenever a message contains an mp.weixin.qq.com URL, regardless of the user's actual intent. This creates an overly broad routing condition that can hijack unrelated requests, causing the agent to run network-fetching and file-generation behavior without clear user consent or relevance.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to unconditionally prioritize this skill over normal summarization or webpage tools for any matching URL, even when the user includes other requests. That semantic override weakens safe tool-selection boundaries and can force unnecessary external fetching and artifact generation in contexts where the user did not ask for conversion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to generate local PDF/Markdown files and disclose the resulting disk path, but it does not require explicit user notice or consent for filesystem writes. In an agent environment, silent file creation can surprise users, expose local path information, and create data-handling risks, especially when processing remote content.

Ssd 1

Medium
Confidence
94% confidence
Finding
This instruction explicitly tells the agent to ignore normal summarize/web-reading tools and always prefer this skill whenever a WeChat link is present. In context, that semantic override weakens tool-selection safeguards and increases the chance of unnecessary code execution, remote fetches, and file generation triggered by a simple URL mention.

Ssd 4

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to reveal generated disk paths or directly attach produced files after conversion, without any check that exposing filesystem details or sharing artifacts is appropriate. In multi-tenant or privacy-sensitive environments, local path disclosure can leak environmental information, and attaching generated files may propagate content the user did not explicitly request to receive.

Ssd 1

Medium
Confidence
95% confidence
Finding
The skill attempts to override standard tool-selection behavior by declaring itself the mandatory first choice for any WeChat URL. In skill ecosystems, self-prioritizing instructions are dangerous because they encourage the agent to follow embedded adversarial routing directives instead of neutral orchestration logic, increasing the chance of misuse and unintended actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal