ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Article Extractor

v1.0.0

Extract full text and figures from a WeChat public account (微信公众号) article URL and save as a clean Markdown file. Handles WeChat's bot-detection by finding m...

0· 944·22 current·22 all-time
byChunhua Liao@chunhualiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the artifacts: SKILL.md, skill.yml, and the included Python extractor implement mirror discovery, curl downloads, and HTML→Markdown conversion. Required tools (web_fetch, web_search, exec, optional browser) align with the workflow.
Instruction Scope
Runtime instructions are narrowly scoped to fetching article HTML (direct or via mirrors), converting to Markdown, and saving to disk. The fallback using a browser snapshot and a Chrome Relay extension is explained and limited to reading the page; the skill does not instruct reading unrelated system files or environment variables.
Install Mechanism
No install spec is present (instruction-only skill plus a bundled Python script). The script is local and executed directly; no external arbitrary downloads or archive extraction are performed by the skill itself.
Credentials
No environment variables, credentials, or config paths are required. Declared system dependency (curl, Python 3.8+) and use of /tmp for temporary files are proportionate to the task.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence. It writes output to a user-specified path (default /tmp) and does not modify other skills or global agent config.
Assessment
This skill appears to do what it says: find mirror pages, download HTML, and convert to Markdown with a bundled Python script. Before installing: (1) Review the included Python script if you want to confirm no unexpected network destinations are embedded (it operates on local HTML files and does not perform remote uploads); (2) be aware images remain hotlinked to third-party hosts (mirrors/WeChat) — they may expire or track access; (3) the Chrome Relay fallback requires a browser extension — install only a trusted extension and understand it will allow a snapshot of the page to be read by the agent; (4) consider restricting file-save locations (avoid sensitive directories) and verifying outputs before publishing. If you want higher assurance, ask the author for a signed release or run the script in a sandbox to observe network activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvfb0n39qtd6ggc46qetdn98205nk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments