wechat-article-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent WeChat article-fetching helper, with only expected network access, local script execution, and dependency-install considerations.
This appears safe for its stated purpose. Before installing, note that it will make web requests to fetch article pages and requires installing Python dependencies; keep use limited to the documented WeChat article URLs and treat retrieved article text as untrusted webpage content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user passes a non-WeChat URL, the local environment could make an unintended web request and feed returned page text into the conversation.
The local script fetches the URL supplied on the command line. This is expected for the skill, but the code does not enforce the documented mp.weixin.qq.com/s/ scope itself.
parser.add_argument("--url", required=True, ...)
...
html, status = fetch_html(args.url, args.ua)Use the skill only for https://mp.weixin.qq.com/s/ article links, or add hostname/path validation in the script.
Installing the requirements may pull updated dependency versions that were not exactly reviewed with this artifact set.
The skill depends on third-party packages with lower-bound version ranges, so future installs may resolve to newer package versions. This is common and purpose-aligned, but less reproducible than pinned dependencies.
beautifulsoup4>=4.12.0 certifi>=2024.0.0
Install from a trusted Python package source and consider pinning or locking dependency versions for reproducible deployments.