ClawHub
Back to skill
v1.0.0

微信公众号文章解析器

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:36 PM.

Analysis

The skill appears purpose-aligned for fetching and summarizing WeChat articles, with minor cautions around loose URL validation and manual dependency installation.

GuidanceThis looks safe for its stated purpose if you are comfortable running a Node.js/Playwright scraper. Before installing, verify the dependency installation source, and only provide genuine WeChat article links.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/fetch-wechat.js
if (!url.includes('mp.weixin.qq.com')) { ... }
...
await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 30000 });

The script launches a browser against a user-supplied URL after only checking whether the string contains the WeChat domain, so a crafted non-WeChat URL containing that substring could still be opened.

User impactThe tool could be made to browse an unexpected page if given a malformed or deceptive URL, although this still appears limited to fetching and printing page content.
RecommendationUse only real https://mp.weixin.qq.com article links, and consider improving the script to parse the URL and require the hostname to be exactly mp.weixin.qq.com.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
README.md
npm install playwright cheerio

# 安装浏览器(仅需一次)
npx playwright install chromium

The documented setup installs external npm packages and downloads a Playwright browser. This is expected for browser-based scraping, but it is not represented by an install spec and should be treated as an external dependency step.

User impactInstalling the skill may require downloading packages and a Chromium browser from external sources.
RecommendationReview the source repository and dependency versions before installing, and prefer pinned dependency versions or a reviewed install spec.