ClawHub
Back to skill
v1.0.0

wechat-pack

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:12 AM.

Analysis

This appears to be a purpose-built local document packager, but it can download image URLs and copy referenced local files into the publish folder, so users should review outputs before publishing.

GuidanceThis skill looks coherent for converting local documents into WeChat-ready HTML. Before installing or using it, be aware that it can download image URLs and copy files referenced by the source document into the generated publish folder; review those generated files before publishing.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/pack_wechat.py
if src.startswith("http://") or src.startswith("https://"):
                local_path = _download_url(src, assets_dir)
...
shutil.copy2(candidate, dest)

When processing a document, the script automatically downloads remote image URLs and copies existing local file paths referenced in image tags into the output assets directory.

User impactA document with external or local image references can cause network requests or copy referenced local files into the publish folder before the user publishes it.
RecommendationUse this skill on documents you trust, and inspect the generated `assets/`, `cover/`, and `wechat/article.html` files before pasting or publishing in WeChat.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
For `.docx` conversion, `pandoc` must be available in `PATH`.

The skill relies on an external PATH-resolved pandoc binary for .docx conversion, while the registry metadata declares no required binaries.

User impactDocx conversion depends on whichever `pandoc` executable is installed on the user’s system PATH.
RecommendationInstall pandoc from a trusted source if using .docx input, and avoid running with an untrusted PATH configuration.