Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wewe-rss WeChat Export
v1.0.0适配 wewe-rss 的公众号抓取与导出工具:把微信公众号 / JSON feed 批量导出为清洗后的 DOCX 文档,并支持日期前缀命名与 zip 打包。适用于导出公众号文章、批量生成 Word 交付包、保留正文清洗结果等场景。
⭐ 0· 60·0 current·0 all-time
byWanli Chen@n1neman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and README. The package contains export scripts that fetch JSON feeds, clean HTML, localize images, and call pandoc to produce DOCX — which is coherent with an exporter. Manifest network permission is appropriate for fetching feeds.
Instruction Scope
SKILL.md and the scripts restrict runtime behavior to fetching feed URLs, cleaning/html-to-docx conversion, local image downloads, writing results into the chosen output directory, and optional zipping. Installation instructions read the OpenClaw workspace config (~/.openclaw/openclaw.json) to determine install destination — this is expected for installing into the platform but is something to be aware of. The scripts run subprocesses (curl, node, pandoc, python3) and perform network I/O and filesystem writes (output_dir); this is necessary for the stated task but you should run it with feeds you trust and in an appropriate directory to avoid accidental overwrites.
Install Mechanism
There is no automated installer that downloads remote code. INSTALL.md instructs manual copying/unzip into the OpenClaw workspace and restarting the gateway. No external archive URLs or opaque downloads are used by the skill itself.
Credentials
The skill declares no required environment variables or credentials. It optionally respects EXPORT_FEED_OUTPUT_ROOT as a convenience. It does not request unrelated secrets or system-wide credentials; requested binaries (node, pandoc, curl, python3) are reasonable for the task.
Persistence & Privilege
always:false and user-invocable; the skill does not request persistent platform privileges or modify other skills' configurations. Installation writes files into the OpenClaw workspace (expected for a skill) and suggests restarting the gateway — normal for installing local skills.
Assessment
This skill appears to be what it says: a feed->DOCX exporter implemented as Node/Bash scripts. Before installing: (1) Verify required binaries (node, pandoc, curl, python3) are present and up-to-date. (2) Run the export in a controlled folder to avoid overwriting important files (the script writes into output_dir). (3) Only feed URLs you trust / are allowed to scrape; the tool will perform network requests and download images/resources from the feed. (4) Installation reads your OpenClaw workspace config (~/.openclaw/openclaw.json) to determine where to place files — review the INSTALL.md steps and run them manually if you prefer. (5) If you need higher assurance, review the full export-feed-single-pages.mjs script (included) to confirm no unexpected endpoints or behavior for your use case.scripts/export-feed-single-pages.mjs:187
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
docxvk97cxrhk40qpkzvkyr6ggesj6183g9emexportvk97cxrhk40qpkzvkyr6ggesj6183g9emlatestvk97cxrhk40qpkzvkyr6ggesj6183g9empublic-accountvk97cxrhk40qpkzvkyr6ggesj6183g9emwechatvk97cxrhk40qpkzvkyr6ggesj6183g9emwewe-rssvk97cxrhk40qpkzvkyr6ggesj6183g9em
License
MIT-0
Free to use, modify, and redistribute. No attribution required.