ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

微信公众号文章解析

v1.0.1

Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info...

5· 1.6k·7 current·10 all-time
by苍何@freestylefly
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, and the included scripts all align: the code fetches mp.weixin.qq.com or weixin.sogou.com pages and parses metadata/content using cheerio and script parsing. Declared npm dependencies match the parsing/HTTP tasks.
!
Instruction Scope
The runtime code performs HTTP requests to arbitrary user-supplied URLs and parses page scripts. It constructs and runs new Function(...) on JavaScript extracted from page <script> tags to recover data (and recurses to follow transfer links). Executing code derived from remote pages is dangerous (can cause CPU/IO abuse or access globals) even if used to parse data; the SKILL.md does not warn about this or require sandboxing. The instructions don’t ask for extra credentials or system files, but the dynamic evaluation of untrusted content is scope-expanding.
Install Mechanism
No install spec is provided (instruction-only), but package.json and package-lock.json are included meaning a user will need to run npm install to use the code. The lockfile contains many transitive dependencies (some unexpected packages appear in the lockfile), but no direct download-from-URL or third-party install mechanism was found. Recommend running npm audit and installing in an isolated environment.
Credentials
The skill does not request environment variables, credentials, or system config paths. The code does not read process.env or other secrets. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It includes a .claude/settings.local.json file that references an "enabledMcpjsonServers" value (cloudbase) and a flag to enable project MCP servers — this is a local config snippet and does not by itself escalate privileges, but it is unexpected metadata and worth reviewing if you run this in a managed Claude/agent environment.
What to consider before installing
This package generally does what it claims — it fetches WeChat article pages and extracts metadata — but it uses new Function(...) to execute JavaScript pulled from remote pages. That makes it risky to run on untrusted input because the evaluated code could be malicious or cause resource abuse. Before installing or running: 1) Review/grep the scripts for use of new Function / eval and consider replacing evaluation with safer static parsing where possible. 2) Run npm install and npm audit locally; pin dependencies and inspect transitive deps. 3) Run the skill inside an isolated sandbox/container with restricted network egress and limited CPU/memory. 4) Do not feed it URLs that contain sensitive tokens or that point to internal resources. 5) If you need stronger assurance, ask the author for a version that avoids executing remote JS or provide a minimal repro showing why evaluation is necessary. If you cannot sandbox it, treat it as high-risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zpqkngg04yzyxbcvx47p8181fjf2wechatvk97bxvtybevyhcex9xqpszamh181fsbt
1.6kdownloads
5stars
2versions
Updated 6h ago
v1.0.1
MIT-0
苍何@freestylefly
latestwechat
Download

WeChat Article Extractor

Extract metadata and content from WeChat Official Account (微信公众号) articles.

Capabilities

  • Parse WeChat article URLs (mp.weixin.qq.com)
  • Extract article metadata: title, author, description, publish time
  • Extract account info: name, avatar, alias, description
  • Get article content (HTML)
  • Get cover image URL
  • Support multiple article types: post, video, image, voice, text, repost
  • Handle various error cases: deleted content, expired links, access limits

Usage

Basic Extraction from URL

const { extract } = require('./scripts/extract.js');

const result = await extract('https://mp.weixin.qq.com/s?__biz=...');
// Returns: { done: true, code: 0, data: {...} }

Extraction from HTML

const html = await fetch(url).then(r => r.text());
const result = await extract(html, { url: sourceUrl });

Options

const result = await extract(url, {
  shouldReturnContent: true,      // Return HTML content (default: true)
  shouldReturnRawMeta: false,     // Return raw metadata (default: false)
  shouldFollowTransferLink: true, // Follow migrated account links (default: true)
  shouldExtractMpLinks: false,    // Extract embedded mp.weixin links (default: false)
  shouldExtractTags: false,       // Extract article tags (default: false)
  shouldExtractRepostMeta: false  // Extract repost source info (default: false)
});

Response Format

Success Response

{
  done: true,
  code: 0,
  data: {
    // Account info
    account_name: "公众号名称",
    account_alias: "微信号",
    account_avatar: "头像URL",
    account_description: "功能介绍",
    account_id: "原始ID",
    account_biz: "biz参数",
    account_biz_number: 1234567890,
    account_qr_code: "二维码URL",

    // Article info
    msg_title: "文章标题",
    msg_desc: "文章摘要",
    msg_content: "HTML内容",
    msg_cover: "封面图URL",
    msg_author: "作者",
    msg_type: "post", // post|video|image|voice|text|repost
    msg_has_copyright: true,
    msg_publish_time: Date,
    msg_publish_time_str: "2024/01/15 10:30:00",

    // Link params
    msg_link: "文章链接",
    msg_source_url: "阅读原文链接",
    msg_sn: "sn参数",
    msg_mid: 1234567890,
    msg_idx: 1
  }
}

Error Response

{
  done: false,
  code: 1001,
  msg: "无法获取文章信息"
}

Error Codes

CodeMessageDescription
1000文章获取失败General failure
1001无法获取文章信息Missing title or publish time
1002请求失败HTTP request failed
1003响应为空Empty response
1004访问过于频繁Rate limited
1005脚本解析失败Script parsing error
1006公众号已迁移Account migrated
2001请提供文章内容或链接Missing input
2002链接已过期Link expired
2003内容涉嫌侵权Content removed (copyright)
2004无法获取迁移后的链接Migration link failed
2005内容已被发布者删除Content deleted by author
2006内容因违规无法查看Content blocked
2007内容发送失败Failed to send
2008系统出错System error
2009不支持的链接Unsupported URL
2010内容获取失败Content fetch failed
2011涉嫌过度营销Marketing/spam content
2012账号已被屏蔽Account blocked
2013账号已自主注销Account deleted
2014内容被投诉Content reported
2015账号处于迁移流程中Account migrating
2016冒名侵权Impersonation

Dependencies

Required npm packages:

  • cheerio - HTML parsing
  • dayjs - Date formatting
  • request-promise - HTTP requests
  • qs - Query string parsing
  • lodash.unescape - HTML entities

Notes

  • Handles various WeChat page structures and anti-scraping measures
  • Automatically detects article type from page content
  • Supports extracting from Sogou WeChat search results (weixin.sogou.com)
  • Some fields may be null depending on article type and page structure

Comments

Loading comments...