ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Work Doc Fetcher

v1.0.0

Fetch and convert WeChat Work developer docs pages into clean Markdown files for use in Obsidian, handling SPA content and required authentication.

0· 567·4 current·4 all-time
by@mouzhi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose: they fetch developer.work.weixin.qq.com content_md and clean it for Obsidian. Requiring a session cookie for authenticated pages is expected. However, the README/SKILL.md claim that Playwright 'obtains session cookies automatically — no manual cookie setup needed' is misleading: get_doc_id_via_playwright only extracts doc_id and does not transfer Playwright/browser cookies into the requests.Session used for the actual API POST.
!
Instruction Scope
Instructions ask users to install Playwright/Chromium and optionally paste browser cookies. The runtime SKILL.md implies Playwright will both find doc_id and handle authentication automatically; the script only uses Playwright to intercept the XHR and extract doc_id. After that, the requests.Session uses COOKIES_RAW or --cookies. This mismatch could lead users to believe no manual cookie handling is needed and either share cookies unnecessarily or fail to get content_md unexpectedly.
Install Mechanism
This is an instruction-only skill (no automated install spec). SKILL.md instructs users to pip install playwright and run `playwright install chromium`, which will download a ~150 MB headless Chromium binary from Playwright's release infrastructure. That download is large but expected for browser automation; there is no hidden or unusual external installer in the skill bundle itself.
Credentials
The skill declares no required env vars or credentials in registry metadata, which matches the code. However the tool requires session cookies for authenticated API access; those are sensitive (session id / JWT) and the script provides a COOKIES_RAW variable and a --cookies flag to accept them. Requiring cookies is proportionate to the task, but handing them to the script is a sensitive operation and should be done deliberately.
Persistence & Privilege
The skill does not request permanent inclusion, does not modify other skills or system configuration, and does not persist beyond writing the requested markdown file. It runs as an on-demand script and does not elevate privileges.
What to consider before installing
Key points to consider before installing/using: - The tool needs an authenticated session cookie to fetch protected pages. The SKILL.md's wording that Playwright 'gets session cookies automatically' is misleading — the script uses Playwright only to extract doc_id and does not transfer browser cookies into the requests.Session. You will usually need to supply cookies via --cookies or by editing COOKIES_RAW. Treat those cookies like passwords: only paste them into the script on machines you trust, and consider revoking the session after use. - Playwright requires installing a headless Chromium (~150 MB). Install it only if you accept that download and run browser automation locally. - The script only contacts developer.work.weixin.qq.com (no other remote endpoints). You can verify network calls by reviewing the code (fetch_doc uses a single POST to the site) or by running the script in a network-monitored/isolated environment. - If you want the advertised 'automatic' behavior (no manual cookie paste), you or the author would need to modify the script to extract cookies from Playwright and transfer them into the requests.Session before calling the API; as-is, the documentation overpromises. - If you are uncomfortable pasting session cookies into a script, use the manual fallback to get doc_id and then query the API using a browser-exported curl only on an environment you control, or ask the author to add Playwright cookie transfer or OAuth support. Run the script in an isolated environment (container/VM) if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk976dpmf3yep8km704r0k5waz181mtab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments