Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeChat RSS
v1.0.0通过 wcrss.com API 获取并展示微信公众号的最新文章。当用户请求查看微信公众号文章、获取公众号最新发布内容、阅读微信RSS订阅或浏览公众号内容时使用此技能。该技能会从环境变量 WCRSS_API_KEY 中读取 API Key,并调用 wcrss.com 的接口来获取文章数据。
⭐ 1· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and the Python script all align: the skill fetches WeChat public-account articles from the wcrss.com API. However, the registry metadata lists no required environment variables while both SKILL.md and scripts clearly require WCRSS_API_KEY. This mismatch is inconsistent and should be corrected.
Instruction Scope
Runtime instructions and the script stay within the stated purpose: they call api.wcrss.com, cache results to a local JSON file, and return article fields for LLM summarization. The SKILL.md does not instruct the agent to read unrelated system files or other env vars. It does instruct summarizing article HTML with the LLM (which will send article content to the model) — expected for the skill but worth noting for privacy.
Install Mechanism
This is instruction-only with an included Python script (no install spec). The script imports requests but the skill metadata does not declare dependencies (e.g., requests). That can cause runtime failures; it's not an obvious malicious install vector but is an omission that affects reliability.
Credentials
The script and SKILL.md require a single API key (WCRSS_API_KEY) which is proportionate to the described functionality. The concern is that the registry metadata does not declare this required env var (or a primary credential). This mismatch could cause confusion and may hide that a secret is needed; ensure the skill actually documents and requests only this API key.
Persistence & Privilege
The skill does not request persistent or elevated privileges. always is false, it does not modify other skills or system-wide settings, and its only persistent artifact is a local cache file (wechat_articles_cache.json) created in the working directory.
What to consider before installing
This skill appears to do what it claims (fetch WeChat articles from wcrss.com) but the registry metadata omitted the required WCRSS_API_KEY and a dependency declaration for the Python requests library. Before installing: (1) verify the source or publisher since homepage/source are not provided, (2) expect to set WCRSS_API_KEY in the agent environment (this key is required and will be sent to api.wcrss.com), (3) ensure the runtime has Python and the requests package, (4) be aware the skill writes a cache file named wechat_articles_cache.json in the agent's working directory (which could be inspected), and (5) if you don't trust the publisher, do not provide your API key — request the publisher fix the metadata so the required env var and dependencies are declared. If you want to proceed, consider creating a limited-scope API key on wcrss.com and running the script in a sandboxed environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5fm0x4petcbgwpa8c1t46183rw99
License
MIT-0
Free to use, modify, and redistribute. No attribution required.