ClawHub

Huo15 Openclaw Wechat Service

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat service-account plugin, but it grants broad account-control powers by default and can persist or sync chat transcripts, so it needs careful review before use.

Install only if you intend to grant this plugin real control over a WeChat service account. Before production use, configure permissionMode=admin-only or role-based, set adminUsers, review who can invoke tools, disable knowledgeSync unless transcript storage is required, restrict Odoo access and retention, upgrade flagged dependencies, and treat WeChat/Odoo credentials as high-value secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents capabilities that inherently require network access and use of secrets such as appSecret, token, and encodingAESKey, yet no explicit permissions are declared. This creates a transparency and governance gap: operators may install the skill without understanding that it can make outbound requests and consume sensitive environment-backed credentials, increasing the chance of overtrust and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The top-level description frames the package as a narrow hotfix for WeChat text truncation, but the documented behavior is a full-featured channel plugin with webhook handling, outbound messaging, token management, OAuth, analytics, OCR, card APIs, transcript persistence, and setup automation. This mismatch can materially mislead reviewers into underestimating the attack surface, permissions, data handling, and external integrations, which is especially risky for a plugin that processes inbound messages and manages credentials.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The release script is labeled and operationally tied to a different package/skill (`@huo15/openclaw-enhance`, `huo15-openclaw-enhance`) than the manifested WeChat service plugin under review. This can cause maintainers or automation to publish, tag, or mirror the wrong artifact, creating a supply-chain integrity issue where users receive an unintended package or the intended plugin is never released correctly.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
This file implements persistent transcript export to local storage and Odoo, which is a material data-handling capability beyond the plugin description focused on WeChat reply truncation. Even if not overtly malicious, hidden or under-disclosed transcript replication increases privacy, compliance, and data-exfiltration risk because user conversations are copied to additional backends asynchronously.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code forwards conversation transcripts to Odoo whenever an Odoo URL is configured, creating a secondary data sink for potentially sensitive user messages and model replies. This can expose personal or confidential data to another service boundary without evidence here of minimization, consent, or destination validation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The function writes conversation transcripts to local files, expanding persistence of user data beyond message handling. Local transcript storage can create unauthorized access, over-retention, and forensic leakage risks if filesystem permissions, encryption, and retention are not tightly controlled.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code truncates outbound text with JavaScript character slicing (`input.slice(0, 2000)`) instead of enforcing the documented WeChat 2048-byte limit. In Chinese/emoji-heavy content, 2000 characters can far exceed 2048 bytes, causing message rejection and delivery failure; this is especially risky because the package metadata explicitly claims this hotfix already exists, creating a false sense of safety.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that each conversation is automatically synchronized to local markdown and optionally to Odoo knowledge.article, but provides no prominent warning, consent model, retention policy, or guidance on handling potentially sensitive user messages. In a messaging-channel context, silent persistence of chat transcripts creates privacy, compliance, and data leakage risks because users and operators may not expect customer conversations to be stored locally or replicated to external systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code deliberately exports full conversation content, sender identifiers, account metadata, and timestamps into Odoo knowledge articles, creating persistent cross-system storage of potentially sensitive personal data. Even if intended for operational logging, the absence of any consent check, minimization, or policy gate in this flow makes privacy exposure, over-collection, and downstream unauthorized access materially more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The consume path includes the raw voucher code and the user's openid in the returned summary, which may be surfaced to logs, agents, or user-visible transcripts. These identifiers are sensitive operational data; exposing them unnecessarily increases the chance of privacy leakage, replay abuse in adjacent systems, or unintended disclosure through observability tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The decrypt action returns the decoded voucher code directly in the summary, turning an encrypted token into plaintext that may be exposed in logs, chat history, or downstream tool chains. In this skill context, decrypted card codes are directly tied to redemption workflows, so unnecessary disclosure materially raises the risk of unauthorized use or leakage of redeemable credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool accepts a user-supplied public image URL and forwards it to WeChat-side OCR/image-processing services, which causes user-controlled data to be transmitted to an external party. Even though the URL must be public and the code does basic scheme validation, there is no disclosure, consent flow, or privacy warning in this tool path, so users may unintentionally expose sensitive documents such as ID cards, bank cards, or licenses to third-party processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This tool exposes high-impact actions such as bulk send, delete, and speed changes directly through a single execute path without any built-in confirmation, dry-run requirement, or explicit safeguard for destructive operations. Although authorization is checked, an authorized but mistaken or prompt-influenced caller could still trigger irreversible or mass user-facing actions, making accidental misuse a realistic safety and security issue.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documentation states that every inbound user message and agent reply may be persisted to local markdown files and synchronized to Odoo knowledge articles. This creates a real data-retention and privacy risk because user conversations may contain personal data, credentials, or business-sensitive content that is duplicated across storage systems and retained beyond necessity.

Ssd 3

Medium
Confidence
95% confidence
Finding
The function persistently copies user messages, AI replies, openid/sender identifiers, account identifiers, and dates into Odoo articles in readable form. This increases breach impact and insider-access risk because sensitive conversation data is duplicated into a knowledge system that may have broader visibility, longer retention, and weaker access controls than the original messaging channel.

Known Vulnerable Dependency: fast-xml-parser==5.3.4 — 6 advisory(ies): CVE-2026-33036 (fast-xml-parser affected by numeric entity expansion bypassing all entity expans); CVE-2026-27942 (fast-xml-parser has stack overflow in XMLBuilder with preserveOrder); CVE-2026-41650 (fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimi) +3 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
fast-xml-parser==5.3.4

Known Vulnerable Dependency: undici==7.20.0 — 6 advisory(ies): CVE-2026-1525 (Undici has an HTTP Request/Response Smuggling issue); CVE-2026-1527 (Undici has CRLF Injection in undici via `upgrade` option); CVE-2026-1528 (Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien) +3 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
undici==7.20.0

Known Vulnerable Dependency: vitest==2.1.8 — 1 advisory(ies): CVE-2025-24964 (Vitest allows Remote Code Execution when accessing a malicious website while Vit)

Critical
Category
Supply Chain
Confidence
82% confidence
Finding
vitest==2.1.8

Known Vulnerable Dependency: openclaw==2026.3.23-2 — 10 advisory(ies): CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r); CVE-2026-43526 (OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetche); CVE-2026-43530 (OpenClaw: busybox and toybox applet execution weakened exec approval binding) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
openclaw==2026.3.23-2

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal