微信读书 AI 阅读助手
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: weread-dl Version: 1.2.0 This skill bundle automates WeChat Reading using Playwright to manage authentication cookies and scrape book content. A notable security risk is found in `scripts/login.js`, which uses `child_process.execSync` to execute a `curl` command for downloading QR codes. While these functions are consistent with the stated purpose of a reading assistant, the combination of browser automation, credential persistence in `profile/weread-cookies.json`, and shell execution creates a high-risk profile. No clear evidence of malicious intent or data exfiltration to unauthorized third parties was observed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or malicious login page response could make the skill run unintended commands on your machine during QR login.
A URL read from the live login frame is interpolated into a shell command. If that page content ever supplies shell metacharacters or command substitution, the login script could execute unexpected local commands.
const qrCodeUrl = await loginFrame.evaluate(() => { ... getAttribute('src') ... }); ... execSync(`curl -sL "${fullQrUrl}" -o "${QR_CODE_FILE}"`, { timeout: 10000 });Replace execSync with a safe download method such as Playwright/Node HTTP APIs or execFile/spawn with argument arrays, and validate the QR URL host and scheme before downloading.
Anyone or any process that can read the cookie file may be able to access your WeRead session.
The skill stores authenticated WeRead browser cookies in a local JSON file and reuses them for later account access.
const COOKIES_FILE = path.join(PROFILE_DIR, 'weread-cookies.json'); ... const cookies = await context.cookies(); fs.writeFileSync(COOKIES_FILE, JSON.stringify(cookies, null, 2), 'utf-8');
Use a dedicated or low-risk WeRead account, protect the skill directory permissions, and delete profile/weread-cookies.json when you no longer need the skill.
Your private reading history, highlights, notes, and discussions can remain in the workspace and may later be read by an agent as context.
The skill persists chapter content, annotations, notes, screenshots, and chat history as local context for future AI discussion.
获取章节全文 → 存档和 AI 对话 → 自动拉取标注和笔记 ... 聊天记录自动保存到 books/<书名>/chat.md
Treat book and notes content as data rather than instructions, review the books/ directory regularly, and delete sensitive archives when finished.
Using the skill may violate service rules or trigger account restrictions, even if it only accesses books available to your account.
The skill intentionally automates reconstruction of protected WeRead chapter text and discloses account-ban risk.
微信读书网页版使用 CSS 绝对定位打散字符进行版权保护...按视觉坐标(top/left)排序重组,重建完整章节文本。 ... 使用工具有封号风险
Use it only for content you are allowed to access and export, avoid unattended bulk use, and consider the documented secondary-account advice.
You may need to verify the code and dependency installation yourself before trusting it with account cookies.
The registry metadata does not provide a trusted source/homepage or install procedure, even though the included files depend on Node/Playwright.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install dependencies only from trusted registries, compare the included code with any upstream repository you choose to use, and prefer a release with complete provenance metadata.