WeChat Article Extractor
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may download untrusted web pages from mirror sites while completing the task.
The skill directs the agent to discover third-party mirror URLs and pass them to a shell download command. This is central to the stated extraction purpose, but users should ensure the URL is a real mirror and not an arbitrary shell argument or unrelated site.
web_search("<article title> <author/account name>") ... curl -s -L "<mirror_url>" -o /tmp/wechat-article.htmlUse the skill only for specific WeChat article URLs, prefer HTTPS mirror URLs from expected domains, and review any requested output path before allowing file writes.
If used on the wrong page or with sensitive content visible, the agent could receive browser page data beyond the intended article.
The fallback uses a Chrome Browser Relay snapshot after asking the user to open the article. This is disclosed and purpose-aligned, but it creates a browser-to-agent data flow that could expose whatever page content is available in that browser context.
请在 Chrome 中打开这篇文章,然后点击 OpenClaw Browser Relay 扩展图标 ... browser(action="snapshot", profile="chrome")
Use the browser relay only after opening the intended article, avoid sensitive tabs or pages, and confirm the agent is extracting only that article.
Users have less context for who maintains the skill and where the included script came from.
The skill does not show a homepage or known source in the registry metadata. No remote installer is present, but the provenance of the included helper script is limited.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Inspect the included files before installing, and prefer skills from maintainers or repositories you trust.
A user might over-trust the skill based on its own scorecard.
The README includes a self-reported quality/security score. It is not evidence of independent security approval and should not be relied on as a safety guarantee.
OPSEC | 2/2 | No violations ... **Total** | **33/33** ... Scored by skill-engineer Reviewer
Base the install decision on the actual requested tools and behavior rather than the README's self-score.