ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Article Parser - 微信公众号文章解析

v1.0.1

解析微信公众号文章,提取标题、作者、正文内容、图片等信息。当用户发送微信公众号链接(mp.weixin.qq.com)并希望获取文章内容、摘要或保存时触发。支持自动提取内容并可选保存到飞书表格。

1· 925·7 current·8 all-time
by@harven-droid
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements WeChat parsing and optional saving to Feishu which matches the description, but the manifest/registry metadata lists no required environment variables or credentials while the save_to_feishu script clearly expects FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_APP_TOKEN, and FEISHU_TABLE_ID. Additionally the script invokes an external 'openclaw' CLI (openclaw web-fetch) as a primary content-extraction method — this dependency is not declared in the skill metadata or SKILL.md usage notes. These mismatches reduce trust in the declared requirements.
!
Instruction Scope
SKILL.md and README present parsing and optional saving, but the save_to_feishu.py does more than 'save one record': it ensures/creates missing fields in the user's Feishu table and includes a routine to find-and-delete empty rows (bulk delete). Those automatic remote modifications (create fields, delete records) are potentially destructive and are not highlighted prominently in the SKILL.md examples. The script also tries an external CLI then falls back to direct HTTP fetch; calling a CLI from code expands the attack surface.
Install Mechanism
No install spec is provided (instruction-only plus included scripts). This is lower risk for local installation mechanics because nothing is downloaded automatically at install time. The only install step is user-run pip installs for common Python packages (requests, bs4, python-dotenv).
!
Credentials
The Feishu-related environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_APP_TOKEN, FEISHU_TABLE_ID) are necessary for the Feishu saving feature but are not declared in the skill's required env in registry metadata. Requesting full App ID/Secret + table token grants write and management capability for the target Feishu app/table — appropriate if you intend to allow the skill to modify a specific table, but disproportionate if you expect only a non-destructive 'save one row' action. The skill also modifies table schema and deletes rows, which justifies limited-scope app credentials and explicit user caution.
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence. However, when invoked with Feishu credentials it will perform remote operations (create fields, write records, batch-delete empty rows). Those remote side-effects are significant and should be treated as privileged actions on your Feishu data. The script also invokes a local 'openclaw' CLI if available, which can expand runtime privilege depending on that binary's capabilities.
What to consider before installing
This skill will parse WeChat articles fine, and can save them to Feishu — but before installing or running it, review and consider: - The save_to_feishu script expects FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_APP_TOKEN, and FEISHU_TABLE_ID (not declared in registry metadata). Do not provide higher-privilege credentials than needed; prefer an app scoped only to the specific table with minimal permissions. - The script will automatically create missing fields and can batch-delete empty rows from the target Feishu table. Back up the table or test on a throwaway table first to avoid accidental data loss. - The script attempts to call an external 'openclaw' CLI (openclaw web-fetch). If that binary exists on your system, it will be executed. If you do not expect or trust that binary, run in an environment where 'openclaw' is absent or review what that CLI does. - If you want a safer setup: remove or modify the clean_empty_rows/auto-create-field code, or run the script manually after auditing it; restrict the Feishu app permissions; and run the tool in a sandbox or test account first. If you want, provide the remainder of the truncated save_to_feishu.py for a full line-by-line review; otherwise the above are the main actionable concerns based on the included files.

Like a lobster shell, security has layers — review code before you run it.

articlevk97fq63r1wsj3f9zc3y8f266yd82nw66chinesevk97fq63r1wsj3f9zc3y8f266yd82nw66latestvk975sx3kf7ywc5anw7h2hpyk6s843cf6parservk97fq63r1wsj3f9zc3y8f266yd82nw66wechatvk97fq63r1wsj3f9zc3y8f266yd82nw66weixinvk97fq63r1wsj3f9zc3y8f266yd82nw66

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments