ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wechat-article-getter

v1.0.0

Extract full text from WeChat Official Account (微信公众号) article URLs. Use when a user shares an mp.weixin.qq.com link and asks to read, summarize, analyze, or...

0· 298·0 current·0 all-time
by@ppppanda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: the Python scripts launch a headless Chromium via Playwright and extract WeChat article text. Required binaries (python3) are appropriate. However, SKILL.md describes a mirror-site fallback that references multiple aggregator sites, while the code's MIRROR_SITES list contains only two sites — a minor mismatch. Overall capability is coherent with the stated purpose.
!
Instruction Scope
SKILL.md tells the agent/user to run scripts/setup.py which will install Playwright and Chromium. The code will also attempt to pip-install playwright and beautifulsoup4 at runtime if Playwright is missing. Those install steps perform network downloads and write a browser to the user's home directory. The documented fallback behavior is misleading: _fetch_via_mirror requires a title_hint (and uses httpx), but fetch_wechat_article calls _fetch_via_mirror(url) without a title hint — so the automated fallback is effectively broken. The scripts only access network endpoints for the target article and mirror sites and do not access unrelated system files or credentials.
Install Mechanism
No install spec in registry (instruction-only), but the included setup.py and runtime installers call pip and Playwright to download Python packages and Chromium (~100–200MB). These downloads come from Playwright/pip ecosystems (standard but large). This is higher friction and writes sizable files to disk, but it is expected for a headless-browser scraper. No unusual or personal-server download URLs are used in the provided code.
Credentials
The skill requests no environment variables, no credentials, and no privileged config paths. It does not attempt to read system secrets. The lack of required env vars is appropriate for the stated purpose.
Persistence & Privilege
always:false and no code that modifies other skills or system-wide agent configuration. The script writes any explicit output file only when an --output path is provided. It does install browser artifacts under the user's cache/home directories, which is expected for Playwright but not a privilege escalation.
What to consider before installing
This skill appears to implement a legitimate WeChat-article extractor, but there are implementation issues and runtime implications you should consider before installing: - The setup/install will download Python packages and a Chromium browser (~100–200MB) from the network and write them to your user cache/home. Expect a sizable download and disk usage. - The scripts call pip at runtime (subprocess.check_call). That is normal for bootstrapping Playwright but means code will execute package installation commands — run this in a controlled environment (container or VM) if you are cautious. - The documented mirror fallback is misleading: the mirror search code uses httpx but the setup script does not install httpx, and the fallback path in the main function does not provide the required title_hint, so automatic mirror fallback will generally fail. If you depend on that feature, review/patch the code (add httpx to installs and pass a title hint). - The tool only performs HTTP(S) requests to the target article and configured mirror sites; it does not request credentials or exfiltrate arbitrary files. Still, test with non-sensitive URLs first. Recommendations: Inspect the scripts locally, run setup and fetch inside an isolated environment (Docker/container) if possible, and confirm the network/download behavior is acceptable. If you need the mirror fallback, modify setup.py to install httpx and fix the call that invokes _fetch_via_mirror so it supplies a title hint extracted from the page or metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bzd7tdn6q8cq4acfhyv8eh82m16x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments