ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save Article With Images

v1.0.1

Save web articles locally with images. Automatically downloads images, generates Markdown, and converts to PDF. Supports WeChat Official Account articles via...

0· 65·0 current·0 all-time
byBenjiamin Jason@barryqin9999
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the included Python script and SKILL.md (scrape article, download images, produce Markdown/PDF). However SKILL.md instructs use of tools (pandoc, weasyprint, browser actions, Feishu messaging, Jina Reader) and platform integrations that are not declared in requirements; the included script only implements a WeChat-specific scraper and does not implement Feishu upload. This mismatch (claimed integrations vs actual footprint) is unexpected and should be clarified.
!
Instruction Scope
Instructions include sending page content to third-party Jina Reader (curl https://r.jina.ai/URL) and browser eval actions that capture whole page text and images. The SKILL.md also instructs sending output to Feishu but no credentials or secure handoff are defined. The Python script fetches a hardcoded WeChat article URL and performs network downloads and file writes; it will send requests to mp.weixin.qq.com and external image hosts. These external network calls and the potential for sending full article content to third-party services are notable data-flow risks and not explicitly declared to the user.
Install Mechanism
No install spec (instruction-only) — lower install risk. But runtime requirements are implied (pandoc, weasyprint, Python with requests and BeautifulSoup). Those dependencies are not declared; running the included script will require Python packages and will attempt file I/O. Lack of an install spec is acceptable but the runtime dependency list should be documented.
!
Credentials
The skill declares no required environment variables or credentials, yet SKILL.md expects Feishu messaging and possibly browser automation (which generally require tokens or a configured connector). The code writes files under /home/admin/.openclaw/workspace (hardcoded) rather than the SKILL.md's '~/.openclaw/workspace', which can surprise users. Requesting zero credentials while instructing use of external services is disproportionate and unclear.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It writes files to the local filesystem (user workspace) which is expected behavior for a saver/clipper. It does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to implement article scraping and image download, but several issues require attention before use: - External data flows: The SKILL.md recommends using Jina Reader (r.jina.ai) which sends the target URL/content to a third party. If article content is sensitive, do not use that option. - Undeclared runtime dependencies: The instructions and code expect pandoc, weasyprint, Python packages (requests, bs4). The package declares no install steps — prepare these dependencies yourself or sandbox execution. - Missing/undeclared credentials: SKILL.md describes sending results to Feishu but the skill declares no Feishu credentials or integration steps; sending will not work without additional configuration and may leak data if misconfigured. - Hardcoded paths and URL: scripts/save_wechat.py uses a hardcoded WeChat article URL and writes to /home/admin/.openclaw/workspace/..., which may not match your environment and could create files in unexpected locations. Treat the script as an example and inspect/modify paths/URL before running. Recommended actions: review the Python script line-by-line, run it in a restricted/sandboxed environment, remove or change the hardcoded URL/path, document and supply any required credentials securely, and avoid the Jina Reader option if you cannot send article text to a third party. If you need certainty about what this skill will do in your environment, ask the author for a dependency list, a non-hardcoded configuration, and clear instructions for Feishu integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqhx9ayemagv2xeenmr923983kydt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments