ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeRead (微信读书)

v1.0.0

微信读书(WeRead)数据查询与笔记管理技能。获取书架、搜索书籍、查看阅读进度/时长、获取笔记划线、热门书评、章节信息、随机笔记抽取和批量导出。当用户提到"微信读书"、"WeRead"、"书架"、"读书进度"、"划线"、"笔记"、"书评"、"在读"、"读完"、"阅读时长"、"读书回顾"、"导出笔记"时使用。

0· 129·2 current·2 all-time
by陈源泉@chenyqthu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and runtime instructions: all scripts call weread.qq.com endpoints and implement bookshelf, notes, highlights, progress, export, and random-review features described in SKILL.md/README. There are no unrelated services or credentials requested.
Instruction Scope
SKILL.md instructs the agent/user to provide a WeRead browser session cookie (document.cookie or Chrome cookies) and to run local Python scripts under ~/.openclaw/workspace/skills/weread/scripts/. Asking to extract and store the session cookie is sensitive but necessary for the stated functionality. The instructions do not ask the agent to read unrelated system files or transmit data to third-party endpoints.
Install Mechanism
No install spec (instruction-only install) and repository contains Python scripts only. Nothing is downloaded from arbitrary URLs. Scripts read/write only to ~/.weread and use standard library modules; the install mechanism is low-risk.
Credentials
No environment variables or external credentials are requested. The only sensitive input is the WeRead session cookie, which is appropriate for a tool that interacts with a web account. The cookie file is stored under ~/.weread/cookie and the code sets file mode to 600.
Persistence & Privilege
Skill is not always-enabled, does not request elevated privileges, and does not attempt to modify other skills or system-wide configuration. It persists user data under ~/.weread (expected behaviour for export/local cache).
Assessment
This skill needs your WeRead session cookie to access your account data — providing that cookie gives the skill the same access as your logged-in browser session (reads bookshelf, notes, highlights, etc.). The code appears to store everything locally under ~/.weread and only calls weread.qq.com. Before installing: (1) review the code yourself if you can (scripts are plain Python); (2) only run on a machine you trust and avoid pasting cookies on shared/remote hosts; (3) keep the cookie file permissions as 600 and remove the cookie file when you stop using the skill; (4) if you are concerned, create a disposable/new WeRead session and use that cookie (or revoke the session / rotate credentials after use). If you want extra assurance, run the scripts locally (inspect outputs) rather than granting the agent automated browser access to extract cookies.

Like a lobster shell, security has layers — review code before you run it.

latestvk974582tv079s9ygqfxntqxrwx839cnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments