微信公众号阅读增长榜
PassAudited by ClawScan on May 13, 2026.
Overview
This skill appears to fetch WeChat public-account ranking data from a disclosed external API using a bundled Python script, with no evidence of malicious behavior.
This skill looks safe for its stated purpose: it runs a local Python script that sends a date and fixed source value to an external ranking API, then displays the returned public ranking data. Before installing, be aware that it depends on an unknown third-party endpoint, uses a bundled API token, and may calculate its displayed score differently from the documentation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs bundled Python code on the agent environment to fetch the ranking.
The normal workflow requires executing the bundled Python script. The reviewed script is purpose-aligned and limited to date parsing, an HTTPS API request, and Markdown rendering, but users should still know local code is run.
python scripts/fetch_growth_rank.py --rankDate "<yesterday|today|YYYY-MM-DD>" --source "公众号阅读增长榜-ClawHub"
Use the documented command path and arguments only, and review the script if operating in a sensitive environment.
The skill relies on a shared embedded API token to access the provider endpoint; no user secrets are requested or exposed by the artifacts.
The script sends a bundled static token to the ranking API. This appears to be a provider/API credential rather than a user credential and is disclosed in the code and API spec.
"N-Token": "2f9f88dbb743423dbf0a8db2977c49eb"
Do not add personal credentials to this skill, and publishers should document and rotate embedded provider tokens as needed.
Users have less external context for who operates the API endpoint or maintains the skill.
The package provenance is limited, while the skill depends on a bundled script and a third-party API endpoint. No malicious install behavior is shown, but verification options are limited.
Source: unknown; Homepage: none
Install only if you trust the publisher and are comfortable with the disclosed external API dependency.
The ranking table may be useful, but the score calculation may not be exactly what the documentation describes.
The documentation's scoring formula does not match the script's implemented min-max interaction scoring, which may affect how users interpret the reported '综合评分指数'.
core_workflow: "综合评分指数」计算公式:8 + 2 × ..."; script: "维度1:总互动量...权重40% ... 维度2:加权互动值...权重60%"
Treat the score as an implementation-specific metric unless the publisher aligns the documentation and code.