ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Games Reporter

v1.0.0

Generates automated Feishu reports with real-time WeChat mini games ranking data, insights, and trends for market analysis and competitive intelligence.

0· 49·0 current·0 all-time
by@fanxi-ju
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says it scrapes https://sj.qq.com/wechat-game and delivers Feishu documents. However the skill declares no required binaries, no install steps, and no environment variables (no Feishu API key, bot token, or OAuth credentials). A legitimate implementation would need browser automation tooling (e.g., puppeteer/selenium) and explicit Feishu credentials or API endpoints—those are missing, which is inconsistent.
!
Instruction Scope
SKILL.md explicitly instructs the agent to navigate to the Tencent site, extract rankings, structure data, and deliver via Feishu. The instructions are high-level and do not constrain how navigation/scraping or Feishu posting should be done, giving the agent broad discretion to perform arbitrary web automation and network activity. The doc does not reference which Feishu API or account to use, nor does it limit what data to read, creating scope and operational ambiguity.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in terms of writing code to disk. However, the declared dependencies (browser automation, Feishu permissions) imply required tools are needed at runtime; the absence of an install mechanism or guidance for obtaining those tools is a coherence gap that could lead an agent to attempt ad-hoc actions or require elevated capabilities from the host.
!
Credentials
The skill requires Feishu delivery permissions in practice but declares no environment variables or primary credential. That omission is disproportionate: delivering messages/documents to Feishu normally requires a bot token, app ID/secret, or OAuth credentials. The lack of stated credential requirements is a red flag for unclear credential handling (where/how tokens would be supplied).
Persistence & Privilege
The skill does not request always: true, has no install that modifies other skills, and does not request system-wide config paths. It appears not to demand persistent elevated privileges in its metadata.
What to consider before installing
This skill's stated purpose (scrape sj.qq.com and post to Feishu) would normally require concrete tooling and credentials. Before installing or running it, ask the publisher for: (1) source code or a clear implementation plan showing how scraping and Feishu posting are performed; (2) an explicit list of required environment variables or tokens and where they are used; (3) an install/run guide for any browser automation dependencies; (4) assurance that a limited Feishu bot/service account will be used (not full org admin tokens). If you must test it, run in an isolated environment, do not provide high-privilege org tokens, and prefer scoped service-account credentials. If the publisher cannot provide these details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk977cc6djfsv59edp0qc2jh4w183pzan

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments