ClawAudit verdict
web-publisher
The skill publishes articles to WeChat Public Accounts. While useful, it requires configuration through a browser and interacts with an external service.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
credential_access
Findings (5)
Possible hardcoded credential
scripts/run.js · prose · downgraded · API_KEY='${pollData.apiKey}
Instruction-prose smuggling shape detected: collects a sensitive target ("API Key") and emits it outward ("POST"). Phrased as prose with no trigger tokens — a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.
SKILL.md · - **数据流**: - URL 模式:CLI 把 `{url, action, theme, rewrite?}` + 你的 API Key 发给服务端;服务端自行抓取目标网页全文与图片,并发布到微信。⚠️ **服务端会接收原始 URL 并下载全文 + 图片**。 - 本地 PDF/PPTX(`draft|publi
References child_process — can spawn system processes
SKILL.md · prose · downgraded · child_process
Instructs covert action — may act without user awareness
scripts/run.js · prose · downgraded · silently
Accesses sensitive environment variables
scripts/lib/credentials.js · prose · downgraded · process.env.WEB_PUBLISHER_API_KEY
Permissions & capabilities
No declared permissions — minimal attack surface.
network_incredential_access Is this flag fair?
Thanks — recorded.