微信公众号阅读增长榜
PassAudited by ClawScan on May 13, 2026.
Overview
This skill appears to be a purpose-aligned WeChat ranking data fetcher, but it contacts a third-party API with an embedded token and users should verify how the ranking score is calculated.
Before installing, be aware that the skill may run a Python script that calls onetotenvip.com with the requested ranking date and a fixed source value. It does not appear to access your local files or credentials, but you should trust the third-party data provider and verify the scoring method if the ranking will inform important decisions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run the bundled script and contact the ranking API with the requested date.
The skill is designed to have the agent run a local Python script to fetch the ranking. This is purpose-aligned, but users should know the agent will execute local code and make a network request.
python scripts/fetch_growth_rank.py --rankDate "<yesterday|today|YYYY-MM-DD>" --source "公众号阅读增长榜-ClawHub"
Use it only when you want this data fetch, and review the script or endpoint if you need strict control over outbound network calls.
Requests are made under the skill publisher's embedded service token rather than a credential you control.
The script uses an embedded API token to call the external service. It is not a user-provided credential and is used only for the documented endpoint, but its scope is not described in the metadata.
"N-Token": "2f9f88dbb743423dbf0a8db2977c49eb"
Install only if you are comfortable relying on the publisher's API access; the publisher should keep the token narrowly scoped and rotate it as needed.
The skill may fail or behave differently if the expected Python environment and package are not already present.
The skill documents a Python dependency, but the registry requirements and install spec do not declare an install mechanism or required binary. This is a packaging/provenance note, not evidence of malicious behavior.
环境与依赖:Python 标准库 + `coze_workload_identity`
Ensure the runtime provides Python and the expected coze_workload_identity package; publishers should declare runtime dependencies in metadata.
Business or content decisions based on the output could be affected if users assume the ranking is purely by growth rate.
The script calculates and sorts by its own interaction-based score. This may differ from a user's expectation of a pure reading-growth-rate ranking, so the displayed order should be understood as transformed by the script.
维度1:总互动量(转发+在看+点赞)→ 权重40% ... 维度2:加权互动值(转发*5 + 在看*3 + 点赞*2)→ 权重60% ... scored_data.sort(key=lambda x: x[1], reverse=True)
Verify the scoring method before relying on the order of results, especially for reporting or competitive analysis.