Back to skill
Skillv1.0.0
ClawScan security
WeChat MP Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 7:56 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are internally consistent: it scrapes WeChat article pages, stores a small local watchlist/history, and optionally posts notifications to a Feishu webhook — nothing requested or installed appears disproportionate to that purpose.
- Guidance
- This skill appears to do what it claims: it fetches WeChat article pages, stores a small local watchlist/history, and can post messages to a Feishu webhook. Before installing, note: (1) the script will make outbound HTTP requests to article URLs and to any Feishu webhook you configure — only use trusted webhook URLs; (2) data is stored unencrypted at ~/.wechat_mp_monitor (watchlist.json and history.json); (3) you must install Python deps (requests, beautifulsoup4); (4) frequent automated scraping may violate target site terms or trigger blocks — use the cron schedule responsibly. If you want extra caution, run it in an isolated account/container or inspect/modify the script to suit your privacy/policy requirements.
Review Dimensions
- Purpose & Capability
- okName/description (monitor WeChat MP, summarize, notify via Feishu, cron scheduling) matches the included script and SKILL.md. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and the script limit actions to fetching article URLs, extracting/summarizing content, maintaining watchlist/history under ~/.wechat_mp_monitor, and optionally posting to a Feishu webhook. Instructions do not reference unrelated files, system credentials, or external endpoints beyond article URLs and optional Feishu webhooks.
- Install Mechanism
- okNo install spec included; the skill is instruction + a Python script. Dependencies are standard Python packages (requests, beautifulsoup4) installable via pip — proportionate for web scraping and HTML parsing.
- Credentials
- okThe skill declares no required env vars; SKILL.md documents an optional FEISHU_WEBHOOK environment variable which the script reads if present. This is appropriate for optional notifications and does not demand unrelated secrets.
- Persistence & Privilege
- okalways is false and the script only writes to its own data directory (~/.wechat_mp_monitor). It does not modify other skills or system-wide agent settings. Autonomous invocation is the platform default but not elevated here.