Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Silas WeChat Article Search
v2.0.0微信公众号文章搜索与解析。搜狗微信+新榜双源搜索,Python脚本解析全文(零Node依赖),Serper转载兜底。
⭐ 0· 28·0 current·0 all-time
bysilas@aohoyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (WeChat article search & parse) matches the included parser script and curl-based search steps. However, the SKILL.md uses a SERPER API key ($SERPER_API_KEY) and references other system artifacts (web-keywords.json, memory/collect-log.json) and Feishu integration steps without declaring any required environment variables, credentials, or config paths in the skill metadata. Those externally referenced items are not explained or requested in the registry metadata, which is disproportionate.
Instruction Scope
Instructions tell the agent to: curl sogou/webrank/Serper, run the included Python parser, search for reposts, write and save JSON, save images to /tmp/openclaw/images/, and call other agent-native tools (feishu_create_doc, feishu_doc_media, feishu_search_doc_wiki, wiki-directory-manager, web_fetch). The SKILL.md also expects local files (web-keywords.json, memory/collect-log.json). The skill instructs reading/writing files and calling external services beyond the single parse operation; many of these inputs/outputs are not declared, granting the agent broad scope that isn't captured in metadata.
Install Mechanism
No formal install spec (instruction-only) — lower install risk. SKILL.md suggests 'pip3 install requests beautifulsoup4' which is a normal, minimal Python dependency list and aligns with the included script. Nothing is downloaded from unknown URLs or extracted to disk by an installer.
Credentials
Metadata lists no required env vars, but the SKILL.md uses $SERPER_API_KEY in curl commands. The skill also expects Feishu insertion (which usually requires credentials) and references local state files; none of these credentials or config paths are declared. Requesting or using undeclared secrets/configs is disproportionate and should be explicit.
Persistence & Privilege
always:false and the skill is user-invocable; it does not request forced/permanent inclusion. It does instruct writing output and images to /tmp/openclaw/images/ (its own local path) which is reasonable for a scraper/collector and not an escalation of platform privileges.
What to consider before installing
Before installing: 1) Ask the author to declare required environment variables (at minimum SERPER_API_KEY) and any credentials for Feishu or other services the skill will call. 2) Confirm where web-keywords.json and memory/collect-log.json come from and whether the skill will read any other local files. 3) Understand that the skill will write scraped output and images to /tmp/openclaw/images/ and may upload media to Feishu — make sure those actions are acceptable and that Feishu credentials are handled securely by the agent. 4) Note legal/terms-of-service risks when scraping WeChat/Sogou; consider rate limits and captcha workarounds. 5) If you need tighter assurance, request the author remove undeclared external dependencies or explicitly list required secrets and file paths; otherwise treat this skill as having broader access than the metadata indicates.Like a lobster shell, security has layers — review code before you run it.
latestvk971qg83mbxg46dkngq36z44mn8531dm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSLinux