Back to skill
Skillv1.0.1
ClawScan security
wechat-article-search-api-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 11:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variable (BROWSERACT_API_KEY) are coherent with its stated purpose of calling the BrowserAct WeChat article extraction API.
- Guidance
- This skill appears to do what it says: it will call BrowserAct (api.browseract.com) using your BROWSERACT_API_KEY and print returned article content. Before installing, confirm you trust BrowserAct and are comfortable the API key will be used to fetch article text. Ensure the agent runtime has Python and the 'requests' package available. Be aware the script prints full API responses to stdout (which may include sensitive data), so protect logs and the API key. Finally, if you want to restrict autonomous runs, note that agents can invoke skills by default—disable or limit invocation in your agent settings if you prefer manual control.
Review Dimensions
- Purpose & Capability
- okThe name/description match the implementation: the script calls BrowserAct API endpoints on api.browseract.com using a TEMPLATE_ID and requires BROWSERACT_API_KEY. Required binary (python) and the single env var are appropriate for the declared task.
- Instruction Scope
- okSKILL.md limits actions to running the included Python script, checking BROWSERACT_API_KEY, monitoring task logs, and parsing API results. It does not instruct reading unrelated files, other environment variables, or contacting endpoints outside BrowserAct.
- Install Mechanism
- noteNo install spec (instruction-only + included script) is low risk. Minor note: the script imports the 'requests' library but the skill does not document or install Python dependencies; the runtime environment must have 'requests' available or the script will fail.
- Credentials
- okOnly BROWSERACT_API_KEY is required, which is proportionate and expected for an API client. No unrelated secrets or additional credentials are requested.
- Persistence & Privilege
- okThe skill is not force-included (always: false), does not request system-wide configuration changes, and does not modify other skills or agent settings.