ClawHub

微信公众号账号诊断与对标分析

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat account analytics helper, but users should avoid sharing unnecessary private analytics or demographic screenshots.

Before installing, treat WeChat backend exports and audience screenshots as sensitive. Share only data you are authorized to use, redact account identifiers or unrelated dashboard details, prefer aggregate fields over raw screenshots when possible, and avoid providing personal identifiers or unnecessary business metrics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad everyday requests, increasing the chance the skill activates in contexts where users did not intend to share analytics data or receive this workflow. Over-broad invocation can cause inadvertent collection of sensitive business metrics and user demographic information under false assumptions of relevance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks for user-attribute screenshots and backend analytics exports without any privacy notice, minimization guidance, or redaction instructions. These materials can contain sensitive demographic, behavioral, and business performance data, so requesting them without safeguards raises confidentiality and data-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The case study explicitly instructs users to export 30-day article analytics and include user-attribute screenshots, but it provides no privacy notice, minimization guidance, or handling instructions for potentially sensitive audience data. In this skill context, the omission is more dangerous because the workflow is aimed at ordinary公众号 operators who may upload screenshots or spreadsheets containing demographic or account analytics without understanding retention, redaction, or consent requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal