Skillv1.0.1

ClawScan security

WechatSync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 9:06 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a multi-platform publishing CLI that pairs with a browser extension; nothing requested appears unrelated to its stated purpose, but you should verify the npm package and browser extension before installing them.
Guidance: This skill appears coherent for a local CLI that talks to a browser extension to publish/sync articles. Before installing or using it: 1) Install the npm package only from the official package and verify the package name/version on the project homepage (GitHub). 2) Install the Chrome extension only from the official Web Store link and review its permissions and source code if possible — the extension will use your browser cookies to act on platforms and could act with your logged-in sessions. 3) Treat WECHATSYNC_TOKEN as a local secret and do not share it; follow the SKILL.md advice to create it locally. 4) If you need stronger assurance that 'no third-party server' is involved, inspect the extension and CLI network activity (e.g., with a local proxy) or review their source to confirm they only communicate over localhost. 5) If you are uncomfortable granting a browser extension access to site cookies or installing an npm CLI you haven't audited, do not proceed.

Review Dimensions

Purpose & Capability: okName/description (multi-platform article publisher) matches the declared binary (wechatsync), the npm package (@wechatsync/cli) used to install that binary, and the single required env var (WECHATSYNC_TOKEN) which the SKILL.md describes as a local token for CLI-extension communication.
Instruction Scope: noteSKILL.md instructs installing an npm CLI and a Chrome extension and describes a localhost token-based IPC model; the instructions stay within the publishing/extraction workflow (sync, platforms, extract) but rely on a browser extension that uses existing cookies to call platform APIs — the doc claims 'no third-party server involved' and 'data stays local', which is plausible but must be verified by inspecting the extension and CLI source and runtime behavior.
Install Mechanism: okInstall is a standard npm package (@wechatsync/cli) which produces the expected binary. This is an appropriate and proportional install mechanism for a CLI tool; moderate risk inherent to installing npm packages (audit source before installing).
Credentials: noteOnly one env var (WECHATSYNC_TOKEN) is required and is described as a locally-created token for CLI<->extension communication — this is proportionate. However, the browser extension will use browser cookies (session auth) to act on platforms; those cookies/extension permissions are powerful and should be reviewed before granting.
Persistence & Privilege: okSkill is not forced-always present and does not request system-wide config paths or other skills' credentials. Autonomous invocation is allowed (default) but not combined with other concerning privileges.