v1.0.0

Wechat Articles

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

This appears to be a purpose-aligned WeChat article search and reader skill, but users should notice its external dependencies, web requests, and browser-based fetching.

GuidanceBefore installing, verify the repository and PyPI dependencies, especially miku-ai and Playwright. Use the skill for public WeChat article search/reading, avoid sensitive search terms, and be careful with optional screenshot output paths.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

packages:\n        - beautifulsoup4\n        - requests\n        - playwright\n        - miku-ai\n...\ninstall:\n        - pip install beautifulsoup4 requests playwright miku-ai\n        - playwright install chromium --with-deps

The skill documents unpinned third-party package installation and a browser/system-dependency installer, while the registry metadata does not declare an install spec or required binaries. This is expected for the tool's purpose but is still a supply-chain/provenance point users should verify.

User impactInstalling the skill may require trusting external Python packages and a Chromium installation step.

RecommendationVerify the GitHub/PyPI sources, consider pinning dependency versions, and run the browser install step only if you need Playwright mode.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/wechat_articles_playwright.py

await page.goto(simple_url, wait_until="networkidle", timeout=60000)\n...\nif screenshot_path:\n    await page.screenshot(path=screenshot_path, full_page=True)

The Playwright reader navigates to a caller-supplied URL and can write a screenshot to a caller-supplied path. This is purpose-aligned for article reading, but the caller should keep URLs and paths within the intended scope.

User impactThe tool can load remote pages in a browser context and write screenshot files when requested.

RecommendationUse it for intended mp.weixin.qq.com/public-account article URLs and provide explicit, safe screenshot paths when using that option.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/wechat_articles.py

import miku_ai.spider\n...\narticles = asyncio.run(miku_ai.spider.get_wexin_article(query, top_num))

Search terms are passed into an external package/provider path to retrieve WeChat article results. This is central to the search feature, but it means user queries are not purely local.

User impactSearch keywords and requested article lookups may be sent to external services or libraries used by the package.

RecommendationAvoid entering sensitive private terms, and review the miku-ai dependency/provider behavior if query privacy matters.