Openclaw Wechat Mp Guide

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a WeChat article-generation workflow, but it handles API credentials and can automatically publish to a WeChat account with risky scoping.

Review this carefully before installing. Use it only with a dedicated, least-privilege WeChat account or test account, avoid running the credential-printing checks as written, keep .env files out of version control, and require a manual final approval before any WeChat draft, preview, or publish action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to handle highly sensitive credentials such as AppSecret and EncodingAESKey directly in interactive setup and examples without any warning about secure storage, rotation, redaction, or least-privilege handling. In a public-facing integration guide, this can normalize unsafe secret management practices, increasing the chance that operators expose credentials in shells, logs, screenshots, shared config files, or support requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal