ClawHub

wechat article publisher

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it controls a live WeChat publishing account and lacks important safeguards around credentials, public publishing, and fetching remote images.

Install only if you intend to let this skill create drafts and possibly publish to a WeChat Official Account. Keep config.json private and out of version control, use --dry-run first, prefer a reviewed local --cover-image, avoid untrusted webpages or Markdown with remote images, and use --publish only after manually checking the rendered preview and target account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'files' from requests.get (line 568, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
img.raise_for_status()
        content_type = img.headers.get("Content-Type", "image/jpeg")
        files = {"media": ("thumb.jpg", img.content, content_type)}
        resp = requests.post(
            MATERIAL_ADD_URL,
            params={"access_token": token, "type": "image"},
            files=files,
Confidence
87% confidence
Finding
resp = requests.post( MATERIAL_ADD_URL, params={"access_token": token, "type": "image"}, files=files, timeout=self.timeout, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly directs execution of a Python script that reads local files, uses shell commands, and makes network calls to WeChat, yet it declares no permissions or safety boundaries. This creates a transparency and consent problem: an agent or user may invoke capabilities with external side effects and secret handling without an explicit permission model.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to place `wechat.app_id` and `wechat.app_secret` into `config.json` but provides no warning about secure storage, access control, or avoiding accidental commits/logging. This increases the risk of credential exposure, which could enable unauthorized access to the WeChat account and misuse of publishing APIs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports direct submission for publication to a public WeChat account, which is an externally visible action, but it does not prominently warn about that effect or require an explicit confirmation step. This raises the risk of accidental public posting, reputational damage, or unintended distribution of unreviewed content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal