ClawHub

给微信的联系人或者群发送信息

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it can send real WeChat messages from the user’s logged-in desktop session with limited safeguards.

Install only if you trust the publisher and are comfortable letting an agent send WeChat messages from your logged-in desktop. Watch the WeChat window during use, test with harmless contacts first, avoid sensitive batch content, delete send_queue.json after interrupted batches, and prefer adding a manual confirmation step before live sends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation declares no permissions, yet the implementation is described as persisting a batch queue to a local file, which implies file read/write capability not transparently disclosed to users or the platform. Undeclared persistence increases risk because message targets and workflow state may be stored locally without explicit consent or review, making behavior less auditable and easier to misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The described behavior goes beyond merely sending a message to a specified contact: it can inspect WeChat window state, send to the current chat without re-selecting a contact, batch-send to multiple recipients, persist queue state locally, and alter targets in test mode. This mismatch is dangerous because users may grant trust based on a narrower description while the skill can automate broader outbound communication and stateful messaging workflows with greater risk of accidental or unauthorized sends.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase '发微信' is a natural-language phrase likely to appear in ordinary conversation, which raises the chance of accidental invocation. Because this skill performs real outbound messaging, unintended activation can directly cause messages to be prepared or sent to contacts without sufficient user confirmation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description emphasizes convenience and automation but does not clearly warn that it will automatically control the keyboard and send outbound WeChat messages, including batch messaging. In this context, missing warnings are significant because the action is externally visible, potentially irreversible, and can affect multiple recipients if triggered mistakenly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script triggers actual WeChat message sending immediately once arguments are provided or the queued '--next' flow is used, with no interactive confirmation, preview, or recipient verification before performing the action. Because the skill is explicitly designed to automate outbound messaging on a user's desktop, an accidental invocation, malformed contact list, or prompt-injection-driven agent action could cause unintended messages to be sent to real contacts.

Missing User Warnings

High
Confidence
97% confidence
Finding
The tool exposes direct message-sending capability that triggers GUI automation immediately when called, with no confirmation step, recipient verification, dry-run mode, or user visibility check. In an agent setting, this can cause unintended or unauthorized messages to be sent to the wrong person or from the wrong context, leading to privacy leaks, social engineering, spam, or reputational harm.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal