wacai-zhishudashi-baidu-ranking
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may post the generated report into a WeCom chat controlled by the embedded webhook owner, not necessarily the installing user.
The script embeds a live Enterprise WeChat robot webhook key and uses it as the default posting destination unless overridden.
DEFAULT_WEBHOOK_URL = "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=0e41994e-9e62-4713-ad69-fddeaaba8e9a"
Use your own WeCom webhook URL via the override option or environment variable, and avoid publishing live webhook keys in shared skills.
The agent will browse Baidu and send a message as part of the normal workflow.
The skill directs the agent to use browser automation and then run a local script to send the extracted titles. This is purpose-aligned, but users should notice the automated browsing and posting behavior.
1. 用 `browser` 打开 `https://www.baidu.com/`。 ... 4. 用 `scripts/push_wecom.py` 发送推送。
Run it only when you intend to publish the report, and verify the extracted titles before sending if accuracy matters.
The search-title report is transmitted to Enterprise WeChat over the network.
The script sends the report payload to an external webhook endpoint. The data appears limited to search result titles, but it still leaves the local agent environment.
with urllib.request.urlopen(req, timeout=20) as resp:
Confirm the webhook recipient is appropriate, especially if you adapt the skill to send private or business-sensitive keywords.