weixin-xlog-analyzer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: weixin-xlog-analyzer Version: 1.0.0 The skill bundle's `SKILL.md` instructions and `references/analysis_guide.md` examples direct the AI agent to execute Python scripts (`scripts/xlog_parser.py`, `scripts/log_analyzer.py`) via shell commands, passing file paths as arguments. This creates a shell injection vulnerability if the AI agent does not properly sanitize or quote user-provided input before constructing and executing these commands. While the Python scripts themselves are benign and perform their stated log analysis functions, they do not implement input sanitization for their command-line arguments, thus relying on the calling agent to prevent injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted log line could try to influence the agent while it is generating the report.
The skill directs the agent to inspect user-provided log content. Log lines can contain arbitrary text, so the agent should treat them as data, not as instructions.
根据统计结果和日志内容,智能体分析问题模式
When using the skill, keep analysis focused on diagnostics and ignore any commands or instructions that appear inside the log text.
If you need a decryptor, its safety depends on where you obtain it and how you run it.
Encrypted Xlog handling depends on an external decryptor that is not included in the reviewed artifacts.
如需解密Xlog,用户需自行准备QXLog等解密工具(本Skill不包含解密功能)
Use only trusted, verified external decryption tools and review their permissions separately.
Generated files such as parsed logs and reports may contain private WeChat diagnostic content or other sensitive strings from the source logs.
The parser preserves the original log message and raw line in the generated JSON output.
'message': message, 'raw': line ... result = { 'total_count': len(logs), 'logs': logs, ... }Redact sensitive logs before analysis when possible, store output files in a safe location, and avoid sharing generated JSON reports unless reviewed.