ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wechat-pack

v1.0.0

Convert local .docx or Markdown files into WeChat-ready HTML and generate a publish folder (source/assets/cover/wechat). Use when packaging documents for WeC...

0· 372·0 current·0 all-time
by@rockbotclub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (wechat-pack) align with included script and SKILL.md: the script converts docx/markdown/html to HTML, applies inline styles, downloads external images into assets/, and generates cover variants when Pillow is available. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md instructions are consistent with the script: they call ./wechat_pack <file>, require pandoc for .docx conversion, and note that external images are downloaded and rewritten locally. The runtime instructions do not direct the agent to read unrelated system files, environment variables, or send data to unexpected endpoints. The script does open network connections to fetch images (urllib.request) which is expected behavior for the stated purpose.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the platform. The included Python script runs locally and uses only standard libraries plus optional markdown and Pillow packages; this is proportionate to the task.
Credentials
The skill declares no required environment variables, credentials, or config paths. The script does not attempt to read or require secrets. It does call an external program (pandoc) if converting .docx, which is documented.
Persistence & Privilege
The skill is not forced-always, does not request elevated platform privileges, and does not modify other skills or system-wide agent settings. It runs as a discrete utility producing local output files.
Assessment
This skill appears to do what it says, but review and be mindful of a few practical points before running: (1) The script will fetch external image URLs over the network — remote image hosts could record requests or attempt to track you, so only run on documents whose image sources you trust. (2) Converting .docx requires pandoc on PATH; installing pandoc is separate and you should obtain it from the official source. (3) Pillow and a Python markdown package are optional for extra features; install only from trusted package indexes. (4) The script writes files into a new output folder (source/, assets/, cover/, wechat/) — check the output and the script source if you want to confirm there is no undesired behavior. Overall the footprint is local and coherent with the stated purpose; no credentials or hidden endpoints were found.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b5prxwvqcfpvf79fw3wnz5x8208aq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments