Skillv1.0.2

ClawScan security

Wechat HTML Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 1:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (upload HTML and images to WeChat draft), but there are inconsistencies in declared requirements and a real abuse surface (downloading arbitrary URLs / reading local image paths) that could be risky if run by an agent or on a machine with sensitive internal network access.
Guidance: This skill appears to implement its stated purpose, but take these precautions before installing or allowing autonomous runs: - Expect to set WECHAT_APP_ID and WECHAT_APP_SECRET (the SKILL.md and script require them) — the registry metadata incorrectly omits them. - Run the script locally first (not as an autonomous agent) to verify behavior and to ensure Python + requests are installed from trusted sources (pip install requests). - Review any HTML you feed it: the script will read local image paths (including absolute paths) and will download remote image URLs. Do not pass untrusted HTML because it could reference internal network URLs (SSRF) or local files you don’t want uploaded. - If you plan to let an agent invoke the skill autonomously, avoid running it on machines that have access to sensitive internal networks or metadata services; consider disabling autonomous invocation for this skill if you cannot fully trust the agent. - Rotate WeChat credentials if you suspect they were exposed during testing, and limit their permissions where possible. If you want this evaluated as 'benign' rather than 'suspicious', provide corrected registry metadata declaring the required environment variables and/or add explicit checks in the code to restrict URL/file fetching (e.g., deny private IP ranges, forbid file paths outside a safe directory).

Review Dimensions

Purpose & Capability: noteName/description and the included script are consistent: the tool uploads HTML and images to the WeChat draft API. However the registry metadata lists no required environment variables or primary credential even though SKILL.md and the script require WECHAT_APP_ID and WECHAT_APP_SECRET; that mismatch is unexpected and should be corrected.
Instruction Scope: concernSKILL.md and the script instruct reading arbitrary HTML files and local image paths (including absolute paths) and downloading network image URLs. The script will fetch arbitrary URLs and read local files referenced by the HTML and then upload them to WeChat. This is coherent with the stated purpose but introduces an SSRF file/URL fetch surface and allows reading local files referenced by the HTML (e.g., /Users/...). If the agent runs this autonomously or on a sensitive host, an attacker could craft image URLs that access internal endpoints or include local paths to exfiltrate sensitive files.
Install Mechanism: noteThere is no install spec (instruction-only / script included). The code depends on Python and the requests library (README mentions pip install requests). Not having an explicit install spec is low-risk but means the environment must already provide Python and requests — user should ensure those dependencies are installed from trusted sources.
Credentials: concernThe script legitimately requires WECHAT_APP_ID and WECHAT_APP_SECRET to call WeChat APIs, which is proportionate. However the registry metadata does not declare these required environment variables or a primary credential, creating an inconsistency that could hide the need for sensitive credentials. No other unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent or cross-skill configuration. disable-model-invocation is false (the default), so the skill could be invoked autonomously by an agent — which is standard, but combined with the instruction-scope risks above (downloading arbitrary URLs / reading local files) warrants caution.