Insecure tls verification
Warn
- Finding
- HTTPS certificate verification is disabled.
公众号10w+阅读文章推荐(红狐数据)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its stated WeChat hot-article purpose, but it disables HTTPS verification and generates HTML from remote data without clear sanitization, so users should review it before installing.
Only install if you are comfortable with this skill calling its external API and creating local HTML output. The publisher should fix HTTPS verification and sanitize generated HTML before routine use, especially on untrusted networks.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A network attacker or misconfigured endpoint could alter article results, links, or data before the agent displays them or writes them into HTML.
Why it was flagged
The fetcher intentionally disables hostname and certificate validation and avoids SNI while sending the API request.
Skill content
context.check_hostname = False # 不验证主机名 context.verify_mode = ssl.CERT_NONE # 不验证证书 ssl_sock = context.wrap_socket(sock)
Recommendation
Use a standard HTTPS client with SNI, hostname checks, and certificate verification enabled; fail closed on TLS errors.
What this means
If the API response is malicious or tampered with, opening the generated HTML could expose the user to injected HTML/JavaScript or unsafe links.
Why it was flagged
Remote article fields are inserted directly into generated HTML attributes and text without visible escaping or URL validation.
Skill content
title = article.get("title", "未知标题")
url = article.get("oriUrl", "#")
...
<a href="{url}" target="_blank" class="article-title">{title}</a>Recommendation
HTML-escape all remote text fields, validate allowed URL schemes/domains, and consider a restrictive Content Security Policy for generated pages.
What this means
The skill appears to use a shared service token for the expected article API; users cannot see or control that token's actual backend scope.
Why it was flagged
The API access token is embedded in the skill documentation and code rather than being supplied through a scoped user credential.
Skill content
N-Token: 2f9f88dbb...
Recommendation
Document the token's scope and rotateability, or move it to a server-side/properly scoped credential mechanism instead of embedding it in artifacts.
What this means
Opening the generated HTML depends on code served by an external CDN, which is purpose-aligned but adds supply-chain trust.
Why it was flagged
The generated HTML loads a third-party JavaScript library from a CDN for PDF export.
Skill content
<script src="https://cdnjs.cloudflare.com/ajax/libs/html2pdf.js/0.10.1/html2pdf.bundle.min.js"></script>
Recommendation
Bundle a verified copy of the library or add Subresource Integrity and clear documentation of the external dependency.