ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wechat Search

v1.0.3

Search WeChat Official Account articles using OpenClaw's web search, Tavily API, and web fetch capabilities with compliance-focused design.

8· 3k·22 current·25 all-time
byJixson@jixsonwang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jixsonwang/wechat-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wechat Search" (jixsonwang/wechat-search) from ClawHub.
Skill page: https://clawhub.ai/jixsonwang/wechat-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wechat-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install wechat-search
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md claim use of OpenClaw web tools and Tavily as optional, but the packaged Python code actually requires a TAVILY_API_KEY, invokes Node.js scripts, and calls the 'openclaw' CLI. The registry metadata lists no required env vars or binaries, so the actual capabilities (need for Node and OpenClaw CLI, and access to Tavily) are not reflected in the declared requirements. The code also hardcodes absolute paths (/root/.openclaw/workspace/skills/...), which implies cross-skill or privileged assumptions that don't match the stated purpose.
!
Instruction Scope
SKILL.md describes a three-layer strategy and mentions web_search/web_fetch tools and optional API keys, but the code performs additional actions not clearly documented: it reads ~/.openclaw/tavily-config.json as a fallback, and directly executes a Node.js script at an absolute workspace path. The instructions do not document executing other skills' scripts or requiring Node/OpenClaw binaries, giving the agent broader runtime actions than advertised.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the skill bundle itself. That lowers disk-write risk. However, the runtime relies on external binaries (node, openclaw) being present; those are not installed by the skill.
!
Credentials
The package metadata declares no required environment variables, yet multiple code paths demand TAVILY_API_KEY (and attempt to load it from ~/.openclaw/tavily-config.json). This is a mismatch: a credential is effectively required but not declared. The skill also inherits the process environment when invoking subprocesses, so it could leak additional env vars to child processes if present.
!
Persistence & Privilege
The skill is not marked always:true and does not persistently modify system config, which is good. However it executes other-skill code by invoking a hardcoded Node script in /root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs and calls the OpenClaw CLI; this means it assumes and acts on workspace files belonging to other skills/runtime and can execute arbitrary code there. Accessing/executing other skills' files is a cross-skill privilege that the SKILL.md and metadata do not disclose.
What to consider before installing
This skill contains mismatches and runtime assumptions you should verify before installing. Specific concerns: - The code expects a TAVILY_API_KEY (and falls back to ~/.openclaw/tavily-config.json) but the skill metadata does not declare this required credential — if you enable the skill and set that env var it will be used by subprocesses. Only provide secrets you trust the skill to use and declare. - The Python code invokes external binaries (node and the OpenClaw CLI) via subprocess; ensure those binaries exist and are the versions you expect. If you don't run node or OpenClaw in the environment, the skill may fail or behave unexpectedly. - The code executes a Node.js script via an absolute path in /root/.openclaw/workspace/skills/... — that means the skill will run code from other skill workspaces. Before enabling, inspect the referenced script (search.mjs) and any other code under that path to ensure it is safe and hasn't been tampered with. - Because the skill spawns subprocesses, it can pass environment variables to child processes. Avoid installing it in environments containing sensitive credentials unless you audited the invoked scripts. Recommended actions: - Ask the publisher to update the registry metadata and SKILL.md to explicitly declare required env vars (TAVILY_API_KEY), required binaries (node, openclaw), and any expected config file paths. - Inspect the referenced Node script (/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs) and confirm its provenance before allowing the skill to run it. - If possible, run the skill in a sandboxed environment (container) without access to sensitive environment variables or host files until you are comfortable. - If you cannot inspect or sandbox the invoked Node script and you need to keep your environment sealed, do not install or enable this skill. Confidence: high — the mismatch between declared metadata/instructions and the actual code paths (undisclosed env var use, subprocess execution of other-skill scripts, absolute paths) is clear and material.

Like a lobster shell, security has layers — review code before you run it.

latestvk97brndpx6ctnc7agypkknjc4d80v16q
3kdownloads
8stars
4versions
Updated 14h ago
v1.0.3
MIT-0
Jixson@jixsonwang
latest
Download

WeChat Search Skill

Search for WeChat Official Account (微信公众号) articles using a compliant, three-layer approach that prioritizes legal search APIs and falls back to respectful web scraping when needed.

Features

  • Compliant Design: Prioritizes legal search APIs, respects robots.txt and rate limits
  • Three-Layer Strategy:
    • Primary: OpenClaw web_search (Brave Search API)
    • Secondary: Tavily Search API (if Brave unavailable)
    • Fallback: Direct page fetching from WeChat search
  • Recent Results: Returns the 5 most recent articles by default (configurable)
  • Time Filtering: Support for date range and recency filters
  • Multiple Output Formats: Text, JSON, and markdown formats available

Prerequisites

  • OpenClaw Web Tools: Requires web_search, web_fetch tools to be available
  • API Keys (optional but recommended):
    • Brave Search API Key (for primary search)
    • Tavily API Key (for secondary search, already configured in your environment)

Usage

Basic Search

wechat-search "人工智能"

Advanced Options

# Return 10 results instead of default 5
wechat-search "机器学习" --max-results 10

# Search within past week
wechat-search "大模型" --past-week

# Custom date range
wechat-search "AI应用" --from 2026-01-01 --to 2026-02-01

# JSON output format
wechat-search "开源AI" --output json

# Force specific strategy
wechat-search "最新技术" --strategy tavily_only

Configuration

Create ~/.openclaw/wechat-search-config.json to customize behavior:

{
  "defaultMaxResults": 5,
  "maxResultsLimit": 20,
  "requestDelayMs": 5000,
  "cacheDurationHours": 1,
  "userAgent": "OpenClaw-WeChat-Search-Bot/1.0 (+https://github.com/your-username/wechat-search-skill)"
}

Search Strategy Details

Layer 1: OpenClaw Web Search (Brave Search)

  • Uses Brave Search API with site:mp.weixin.qq.com filter
  • Fastest and most reliable when API key is configured
  • Respects search engine's indexing and ranking

Layer 2: Tavily Search API

  • Activated when Brave Search is unavailable or fails
  • Uses Tavily's AI-powered search with WeChat site restriction
  • Provides high-quality, relevant results with good coverage

Layer 3: Direct Web Fetch

  • Final fallback when both APIs are unavailable
  • Scrapes WeChat search results directly from搜狗微信搜索
  • Implements proper delays and respects robots.txt
  • Parses HTML to extract article metadata

Compliance & Ethics

  • Respects robots.txt: Checks and follows robots.txt directives
  • Rate limiting: Minimum 5-second delay between requests
  • Transparent identification: Clear User-Agent string identifying the bot
  • Public content only: Only accesses publicly available articles
  • No data retention: Does not store full article content, only metadata

Error Handling

  • Automatic retry on network failures (up to 3 attempts)
  • Graceful fallback between all three search strategies
  • Clear error messages for debugging
  • Handles API key missing scenarios gracefully

Future Enhancements

  • RSS feed integration support
  • Article content summarization
  • Author/subscription management
  • Enhanced filtering options

This skill is designed to be both useful and responsible, providing access to valuable WeChat Official Account content while respecting platform rules and legal requirements.

Comments

Loading comments...