Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Report
v1.0.0Generate a structured comparison report for multiple WeChat Official Account articles under one topic. Use this when the user wants several公众号文章 collected in...
⭐ 0· 57·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (collect WeChat articles, extract content and engagement, produce a local report) matches what the code does. However the registry metadata lists no required binaries or environment variables while the runtime and README require Node, npm, Playwright, and Python dependencies — an omission that can mislead users about what will be installed/run.
Instruction Scope
SKILL.md and README describe running the skill on a frontmatter Markdown request file and producing local report files. The implementation performs network queries (Bing RSS and arbitrary web pages) and runs a headless browser (Playwright) which executes page JavaScript. This is expected for extraction, but means fetched pages can run arbitrary JS and trigger network activity from your machine; the skill writes output HTML/JSON under content-production/inbox/ and uses a persistent browser profile directory you supply.
Install Mechanism
There is no automated install spec in the registry. The README instructs manual pip and npm installs and Playwright browser installation (npx playwright install). The code does not download arbitrary binaries from suspicious hosts — it relies on standard package tooling — but the lack of an explicit install spec in the metadata is an incoherence to be aware of.
Credentials
The skill declares no environment variables or credentials (and does not require them explicitly). To surface engagement metrics it relies on a browser profile (Playwright persistent context) which could contain login cookies if you provide one; the skill itself does not request secrets. This is proportionate, but you should not pass profile directories containing unrelated sensitive sessions.
Persistence & Privilege
always is false and the skill does not request persistent inclusion or attempt to modify other skills. It does create/use profile directories and write report files under content-production/inbox/, which is expected and scoped to its purpose.
What to consider before installing
Before installing/running this skill: 1) Expect to install Python deps (requirements.txt), Node packages, and Playwright (npm + npx playwright install). The registry metadata omitted these runtime requirements — confirm you want to run those installers. 2) The skill fetches arbitrary web pages and launches a headless browser that executes page JS; run it in an isolated workspace or VM if you are cautious. 3) Do not point the skill at a profileDir containing sensitive cookies or other accounts unless you understand the privacy implications — the browser session can expose logged-in state to pages. 4) Review requirements.txt and any npm packages before installing. 5) The skill will only write local report and JSON files and will not automatically post to Feishu; it may require manual confirmation to sync downstream. If you are uncomfortable with running a headless browser that visits external pages or with the metadata omissions, do not install or run it until those are addressed.Like a lobster shell, security has layers — review code before you run it.
latestvk978x77yjatv45vy0t4b9xw44984c4rs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.