Skillv1.0.1

ClawScan security

Rss To Wechat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 8:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs generally match its RSS→WeChat purpose, but there are transparency and safety concerns: it fetches arbitrary web content with curl (including an explicit comment about bypassing SSRF protections), expects secrets via a local config that are not declared in the registry metadata, and invokes user-configured scripts (cover/publish) which could execute arbitrary code.
Guidance: What to check before installing/using this skill: - Be aware this package includes runnable shell scripts that will fetch arbitrary web pages (curl) and execute user-configured scripts. Review every script (parse-article.sh, format-wechat.sh, publish-article.sh, and scripts referenced in config.local.sh) before running. - The repo expects WeChat credentials (WECHAT_APPID and WECHAT_APPSECRET) via a local config file (config.local.sh). The skill's registry metadata does not declare required secrets — treat this as a transparency issue. Only add credentials to a local file if you trust the author and are comfortable storing them locally. - parse-article.sh contains an explicit comment about "bypass[ing] web_fetch SSRF restriction". Ask the author to explain this or remove such behavior. Do not run the scripts in a privileged environment until you understand why the code claims to bypass platform protections. - COVER_SKILL and WECHAT_PUBLISH_SCRIPT point to arbitrary executables: do not set those to untrusted scripts. Inspect any cover/publish script output and verify it does not exfiltrate data or leak tokens. - Test in a sandbox: run scripts with a known safe URL and with credentials omitted to see dry-run behaviour (use --check and parse only). Configure a safe path for PUBLISH_HISTORY (it is referenced but not set by default) to avoid accidental writes. - If you need to proceed: run bash scripts/rss-to-wechat.sh --check, inspect config.local.sh, run parse-article.sh on a sample URL and review generated JSON/HTML before any publishing step. If anything is unclear or the author cannot justify the SSRF-bypass comment, avoid using automated publishing and keep execution manual.

Review Dimensions

Purpose & Capability: noteThe scripts, documentation, and SKILL.md align with the stated goal (fetch RSS/article → parse → generate WeChat-compatible HTML → optionally publish). Required local configuration (WECHAT_APPID/WECHAT_APPSECRET, optional COVER_SKILL and WECHAT_PUBLISH_SCRIPT) is reasonable for a WeChat publishing skill — but the registry metadata lists no required environment variables, which is inconsistent and reduces transparency.
Instruction Scope: concernRuntime instructions (and the included scripts) tell the agent to run local shell scripts that: fetch arbitrary URLs with curl, parse/convert content with pandoc, and invoke user-provided scripts to generate covers and publish drafts. parse-article.sh explicitly includes the comment '绕过 web_fetch 的 SSRF 限制' (bypass web_fetch SSRF restriction), which indicates an attempt to circumvent platform protections. The skill therefore performs broad network I/O and can run arbitrary local scripts provided via configuration — behaviour beyond mere formatting and requiring user scrutiny.
Install Mechanism: okNo install spec is provided (instruction-only plus bundled scripts), so nothing is automatically downloaded or executed at install time. All code is present in the bundle; risk comes from running scripts, not from an installer fetching remote archives.
Credentials: concernThe bundle expects WeChat credentials and optional paths (COVER_SKILL, WECHAT_PUBLISH_SCRIPT) documented in config.example.sh, but the registry metadata declares no required env vars. This mismatch reduces transparency: secrets are supplied via a local config file (config.local.sh) rather than declared explicitly, and configurable script paths allow the skill to execute arbitrary binaries. Requesting WeChat credentials is proportionate to the publishing function, but the lack of manifest declaration and the ability to point to arbitrary executables are notable risks.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide persistent privileges in the manifest, and it does not modify other skills' configuration. Persistent behavior would come from cron/automation set up by the user (documented cron example), not from any special platform privilege.