ClawHub

WeChat Mail Bridge (Windows/OpenClaw)

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated WeChat-to-mail bridge purpose, but it grants sensitive messaging and mail-routing authority with weak operator controls.

Install only if you control the WeChat groups, BHMailer account, plugin host, sidecar host, and VLM endpoint. Change all development secrets, keep services bound to localhost or a trusted network, disable remote VLM unless users consent to screenshot upload, restrict who can issue admin commands, and avoid using it in chats or mailboxes containing highly sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly describes capabilities involving local file access, environment-based secret handling, Windows helper scripts, bundled executables, and network-connected mail/plugin operations, yet it declares no explicit permissions. This creates a trust and review gap: an agent may invoke file, shell, env, or network-capable components without transparent user consent or policy enforcement, which is especially sensitive because the skill targets Windows desktop automation and sidecar/runtime execution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Admin commands such as /mail-pause, /mail-resume, /mail-flush, /mail-bind set/del, and /mail-last are recognized purely from chat message text and there is no authorization check on sender identity, role, or trusted chat context before executing them. In this bridge, any participant in an allowlisted group can potentially alter routing, pause monitoring, flush queued sends, or inspect operational state, which can disrupt service or redirect mail-derived replies.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Webhook ingestion allows a normalized webhook event to specify targetChatId or targetChatName, and the coordinator will queue a reply directly to that resolved target without tying the delivery to an existing user-initiated job or watch subscription. If webhook authenticity or upstream normalization is bypassed or misconfigured, mail-derived content could be injected into arbitrary mapped chats, enabling spam, data leakage, or misdelivery.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly documents a visual fallback that can extract WeChat chat content and send it to an OCR/VLM service, including a default example pointing at an external API. Because this skill handles desktop chat automation and mail bridging, message contents may include sensitive personal, business, or credential-like data; omitting a clear privacy warning and data-handling disclosure creates a real confidentiality risk for operators and end users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The adapter sends keystrokes directly into the active WeChat desktop UI and immediately presses Enter, causing messages to be transmitted without any in-band confirmation, consent checkpoint, or recipient verification at send time. In this skill's context, the component is explicitly designed to automate external messaging on Windows, so a bad chat_id, UI focus mistake, or upstream misuse could send sensitive or misleading content to the wrong recipient with no human intervention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When visual mode is enabled, the adapter captures a screenshot of the WeChat chat region, base64-encodes it, and sends it to a configurable remote VLM endpoint for message extraction. That screenshot can contain highly sensitive chat content, email addresses, attachments previews, and other personal or business data, yet this code provides no consent gate, redaction, allowlist, or local-only enforcement; in this skill context, that is especially risky because it automates mail-bridge workflows and may process sensitive communications.

External Transmission

Medium
Category
Data Exfiltration
Content
if api_key:
                headers["Authorization"] = f"Bearer {api_key}"

            response = requests.post(
                f"{base_url}/chat/completions",
                headers=headers,
                json=payload,
Confidence
93% confidence
Finding
requests.post( f"{base_url}/chat/completions", headers=headers, json=

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal