Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Articles Spider
v2.0.4WeChat Official Account article crawler with x402 micropayments. Requires Chrome browser and interactive WeChat QR login on first use. Harvest articles for r...
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe a WeChat Official Account crawler with a micropayments layer; the repository contains crawler code (Selenium-based), payment/x402 components, quota management and an async queue. Required binaries (python3, google-chrome) and the USER_ID env var align with the documented functionality.
Instruction Scope
SKILL.md and CLI instruct interactive Chrome QR login, running spider_cli.py, and entering transaction hashes. The code writes/reads local files (weixin_credentials.py, data/users/, data/queue/) to persist cookies, quotas and tasks — this is expected for a crawler that reuses login tokens, but it means sensitive credentials (WeChat cookies/tokens) are stored locally in the skill directory.
Install Mechanism
No packaged install spec; SKILL.md instructs 'pip install -r requirements.txt'. Dependencies (selenium, webdriver-manager, pandas, requests, flask, etc.) are plausible for the functionality. Because the package installs third-party Python packages, the usual caution about dependency supply-chain risk applies, but the install source (PyPI) is normal for Python projects.
Credentials
Only USER_ID is required in environment variables which fits the payment flow. However the code hard-codes a receiving address (0x172444FC64e2E370fCcF297dB865831A1555b07A) in config.py/SKILL.md — legitimate for a paid service but means payments go to that recipient. The skill also persists WeChat login tokens (weixin_credentials.py) and user/task data locally; storing those tokens is functionally explainable but increases local sensitive-data exposure.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It creates/updates files inside its own directory (data/, weixin_credentials.py), starts a background thread for async queue processing — all consistent with its stated async job queue behavior. It does not modify other skills or system-wide settings.
Assessment
This package is internally consistent with a paid WeChat article crawler, but review and accept these practical risks before installing: 1) Payments: the receiving Ethereum-style address is hard-coded in config.py and SKILL.md — any USDC you send goes to that address and transfers are irreversible. 2) Local credentials: the tool stores WeChat login tokens/cookies in weixin_credentials.py inside the skill folder — treat these files as sensitive and run the code on a machine you control. 3) Dependencies: pip installing requirements pulls third-party packages (PyPI); audit if you require higher supply-chain assurance. 4) Inspect config.py: change the receiving address if you plan to operate your own payment endpoint. 5) Sandbox: if unsure, run the tool in a sandbox or isolated VM, and review the code paths that perform network requests (blockchain RPC / BaseScan) and file writes. If you don’t trust the recipient address or don’t want local credential storage, do not use this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97a821rsbgb9c74b3pp9hd6s183p9b3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🕷️ Clawdis
OSLinux · macOS · Windows
Any binpython3, google-chrome
EnvUSER_ID