ClawHub

WeChat Data Exporter

v1.0.1

(已验证) 可靠的视频号数据导出器,通过 API 直接获取指定客户的多维度数据报告。

0· 121·0 current·0 all-time
byan@ahsbnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (WeChat data exporter) match the implementation: the script issues GET requests to API endpoints on boss-ip.da-mai.com and saves returned files. The skill does not request unrelated credentials or binaries. The only oddity is that the SKILL.md metadata points to a placeholder GitHub URL and the package has no declared homepage/source; that reduces trust but does not create functional mismatch.
Instruction Scope
Runtime instructions and the script remain narrowly scoped to calling the listed API endpoints and saving outputs under the .openclaw workspace. Minor inconsistencies exist between SKILL.md and the code: SKILL.md claims URL-encoding of the client_name and explicitly references a Windows path (C:\Users\EDY\.openclaw\...), whereas the code currently uses the provided client_name (encoding commented out) and computes the output path dynamically from the discovered .openclaw root. The script prints debug URLs (which include the author parameter) and any returned content/errors; this may expose client names in logs.
Install Mechanism
No install spec is provided (instruction-only plus a small Python script). The SKILL.md lists pip:requests which matches the script's dependency. No downloads from arbitrary URLs or archive extraction occur.
Credentials
The skill declares no required environment variables or credentials, and the code does not read any secrets. However the endpoints are on an internal-looking domain (boss-ip.da-mai.com) which in practice may require internal network access or authentication; the skill does not handle auth. That is not inherently malicious but is a potential operational mismatch (it may fail or leak request parameters if run outside the intended environment).
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or system-wide configuration. It only writes output files into the .openclaw workspace, which is expected behavior for a data exporter.
Assessment
This skill is a small, focused Python exporter that calls a Da Mai internal API and saves returned files in your .openclaw workspace. Before installing or running it: (1) verify you trust the source — the repo/homepage is missing; (2) confirm whether boss-ip.da-mai.com is an authorized internal endpoint in your environment and whether requests require authentication (the script sends no credentials); (3) be aware the script logs full request URLs (client names are printed), so sensitive client names may appear in logs; (4) run it in an isolated/test environment first and inspect the saved files and printed output; (5) if you expect the API to require authentication, update the script to use secure credentials (and store them appropriately) rather than running unmodified. If any of these checks fail or you cannot verify the endpoint, do not run this skill with access to sensitive networks or data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8mhnf4w1zcp5xv2xd7c8as83m26n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments