ClawHub

微信公众号内容提取工具

Security checks across malware telemetry and agentic risk

Overview

This WeChat article extractor mostly matches its purpose, but it uses unsafe JavaScript execution and weak URL scoping that deserve review before installation.

Install only if you are comfortable running a network scraper in a constrained environment. Use it only with trusted WeChat/Sogou URLs, avoid feeding arbitrary HTML, prefer reviewed local commands over npx registry resolution, choose explicit output paths, and do not run the included helper scripts unless you inspect their hard-coded paths first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README states that Claude will automatically trigger this skill whenever a user provides a WeChat article link, but it does not describe meaningful constraints, confirmation, or scope checks. In an agent setting, broad auto-activation can cause unexpected network access and content retrieval from user-supplied URLs, increasing the chance of unnecessary data handling or unintended tool use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples encourage fetching remote HTML from WeChat URLs and then parsing it, but the documentation does not prominently disclose that this performs outbound network requests and may transmit user-requested URLs or session-linked requests to external services. In privacy-sensitive agent environments, users may not expect that simply asking for extraction causes network access, which can expose browsing targets, metadata, or authenticated context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes full extracted article content to a fixed absolute path without user confirmation or any indication that local persistence will occur. In shared or monitored environments, this can expose sensitive or copyrighted article content to other local users, backups, sync tools, or later processes that read that directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function performs a server-side HTTP GET to a user-supplied URL whenever the input starts with http, which creates an outbound network action based on untrusted input. Although the code restricts targets to mp.weixin.qq.com and weixin.sogou.com, it still fetches remote content without any consent, disclosure, timeout, or redirect hardening, so it can surprise users, leak environment metadata, and be abused for unwanted network activity within the allowed domains.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When a migration page is detected, the extractor automatically invokes extract(match[1]) and performs a second fetch to a transferTargetLink found in remote HTML. This turns one user-supplied request into an implicit follow-on network request controlled by page content, increasing the risk of unexpected outbound access and making the network behavior less transparent and harder to constrain.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal