ClawHub
Back to skill

Security audit

wechat-publisher

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeChat publishing helper, but it can use account credentials and create WeChat drafts from broad prompts, so it needs careful review before installation.

Install only if you intentionally want an agent to manage real WeChat public-account drafts. Prefer environment variables over plaintext config files, keep AppSecret values out of shared folders and version control, verify the active account before each run, and require an explicit final command before uploading covers or creating drafts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README advertises very broad trigger phrases such as '今天给公众号写一篇文章' and '查看发布情况' for a skill that can switch accounts, generate content, and publish drafts. In an agent environment, overly generic invocation language increases the chance of unintended activation and can lead to accidental content generation or publication actions against the wrong公众号, even if later steps require confirmation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad everyday expressions such as '今天要发公众号' and '今天要发微信', which can cause the publishing skill to activate from casual conversation rather than a deliberate request. In a skill that can read account configs, generate content, and publish drafts, accidental invocation increases the chance of unintended file access, content generation, or workflow progression.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger '微信发文' is ambiguous because it can refer to many WeChat-related actions, not specifically public-account article publishing. Given this skill's ability to switch accounts, access configuration files, and perform external publication steps, an unclear trigger materially raises the risk of unintended activation in the wrong context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs testers to copy a template into a local file and populate it with real AppID/AppSecret values, but it provides only minimal cleanup guidance and no strong controls for secure storage, file permissions, secret redaction, or use of environment-based secret management. This increases the chance of credential exposure through local backups, version control, logs, screenshots, or leftover files in a testing environment.

External Transmission

Medium
Category
Data Exfiltration
Content
Returns:
        media_id 或 None
    """
    url = f"https://api.weixin.qq.com/cgi-bin/draft/add?access_token={access_token}"

    data = {
        "articles": [article_data]
Confidence
92% confidence
Finding
https://api.weixin.qq.com/

Credential Access

High
Category
Privilege Escalation
Content
if 'access_token' in data:
            # 不打印完整token,只显示前10个字符
            token_preview = data['access_token'][:10] + "****"
            print(f"✅ Access Token获取成功: {token_preview}")
            return data['access_token']
        else:
            error_msg = data.get('errmsg', '未知错误')
Confidence
90% confidence
Finding
Access Token

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
playwright>=1.30.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
playwright>=1.30.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
playwright>=1.30.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
playwright>=1.30.0
python-dotenv>=1.0.0
Confidence
92% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal