ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Channels Video Search

v1.0.1

(已验证) 通过 TikHub API 搜索微信视频号视频(需要翻墙),支持关键词搜索,返回视频下载链接和分析数据。

0· 65·0 current·0 all-time
byan@ahsbnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (TikHub WeChat Channels search) align with the code and SKILL.md: the skill calls api.tikhub.dev and returns video links/metrics. Requiring a TikHub token is proportionate. No unrelated services or binaries are requested.
!
Instruction Scope
SKILL.md instructs storing a TikHub token in ~/.openclaw/config.json or using TIKHUB_API_TOKEN. The Python script, however, emits the token and debugging information to stdout/stderr (print("token", token) and debug prints of the URL/response text). Those debug outputs are not required by the skill's stated purpose and risk leaking credentials or API response data.
Install Mechanism
No install spec; code is a small Python script requiring the requests package. Nothing is downloaded from arbitrary URLs or installed in nonstandard locations.
!
Credentials
The only required secret is a TikHub API token, which is appropriate. However, the script both expects the token in config and supports an environment-variable fallback (TIKHUB_API_TOKEN) — that's reasonable — but printing the token to stdout/stderr is disproportionate and creates an exfiltration risk.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not modify other skills or system settings. Autonomous invocation is permitted by default but not combined with other high privileges.
What to consider before installing
This skill does what it says (search TikHub) and needs your TikHub API token, but the included script prints your token and debug response text to stdout/stderr — that can leak your secret if you share console output or if an agent/operator captures it. Before installing or running: (1) review and remove or mask debug prints (remove print("token", token) and debug response logs), (2) store the token in a secure place and avoid sharing outputs that contain it, (3) consider setting TIKHUB token permissions minimally, (4) run the script locally in a controlled environment first and audit network calls (it calls https://api.tikhub.dev), and (5) if you plan to allow autonomous agent invocation, be cautious because the agent could call the skill and cause token exposure; disable autonomous invocation or require explicit user approval if you need stricter control.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vhhsjbyac7x06fffqek7gn84rn81

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments