ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

read wechat article

v1.0.0

Fetch and parse WeChat public articles by extracting clean content, metadata, images, word count, and reading time without browser rendering.

0· 481·3 current·3 all-time
bywendell@psyear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, requirements, and code align: the skill only needs HTTP + HTML parsing libraries (requests, BeautifulSoup, markdownify) and its code implements URL cleaning, fetching, parsing, cleaning, image extraction and Markdown conversion as documented.
!
Instruction Scope
SKILL.md stays within scope (install deps, run script, call function) and documents user-initiated use, but the implementation disables TLS verification (requests.get(..., verify=False)) which weakens network security and is not called out in the docs. Tests and some examples call the network directly (no mocks), so running test suites may perform outbound requests. The code also includes optional helpers that write files (image download) — documented, but you should be aware these perform disk I/O when used.
!
Install Mechanism
No remote downloads or unusual install sources (only pip deps), which is good. However setup.py appears to contain trailing/corrupted characters (extraneous tokens at the end) that could break packaging or indicate a cut-and-paste error. The package entry_points and skill.json handler mention console entry/handler names that are not obviously present in the main module (possible mismatch), so installation/CLI behavior may not work as expected until verified.
Credentials
The skill requests no environment variables, no credentials, and no config paths — proportional to a web-scraping/parsing tool. Optional features mention using local ML models or storing to DB, but those are documented as optional and do not require hidden credentials.
Persistence & Privilege
The skill does not request elevated or persistent privileges and always:false. It does not attempt to modify other skills or system-wide configs. Note: some metadata files claim 'do not store user-provided URL', and the code keeps an 'original_url' field in results (in-memory) — no on-disk persistence is present unless you call the provided image-download or save-to-database helpers.
Assessment
This skill appears to implement what it claims (WeChat article scraping and parsing) and doesn't request secrets, but review the following before running: 1) The code disables TLS verification (verify=False) — this makes requests vulnerable to MITM; consider changing to verify=True or explicitly handling cert issues. 2) setup.py contains malformed/trailing characters and the declared console entrypoint/handler may not match functions in the module; fix/verify packaging and entrypoints before pip-installing or publishing. 3) Running tests will perform real network requests; run them in an isolated environment or offline if you don't want outbound traffic. 4) Image-download and database helper functions perform disk/network I/O — only run them if you trust the source. If you need higher assurance, ask the maintainer for a clean setup.py, a clear main/handler function, and to remove/justify verify=False; run the package in a sandbox or ephemeral VM and audit network traffic on first runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d85t4srwhrsd2gxgt766je58246ak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments