ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Media Content Scraper Pro

v1.0.0

Social Media Content Bulk Scraper, extract articles/posts from WeChat, Instagram, TikTok, YouTube, export to Markdown/HTML with full metadata. $0.005 USDT pe...

0· 121·0 current·0 all-time
by@baolige2023

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for baolige2023/wechat-content-scraper-intl.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Social Media Content Scraper Pro" (baolige2023/wechat-content-scraper-intl) from ClawHub.
Skill page: https://clawhub.ai/baolige2023/wechat-content-scraper-intl
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wechat-content-scraper-intl

ClawHub CLI

Package manager switcher

npx clawhub@latest install wechat-content-scraper-intl
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README and UI advertise scraping WeChat, Instagram, TikTok, YouTube, and Twitter/X, but the server code only accepts and simulates mp.weixin.qq.com (WeChat) URLs and returns generated sample content. The frontend templates list multiple platforms, but backend route names and behavior are inconsistent (frontend calls endpoints like /start, /tasks, /task while backend defines /create_task, /task_status/<id>, /articles/<id>, etc.). This mismatch means the skill does not implement the multi-platform capabilities it advertises.
!
Instruction Scope
SKILL.md instructs a payment flow and entering profile URLs, which aligns with the included app, but the code will run a Flask web server, accept arbitrary profile URLs, download and store scraped content and images to a local data folder, and call external billing endpoints. The skill claims '100% safe and secure local data storage' despite storing arbitrary external HTML/content locally and serving it back via templates (possible XSS or serving of copyrighted/private content). Also the SKILL.md tells reviewers to 'review included files' — the code contains logic that will perform network calls and file writes not fully disclosed in SKILL.md.
!
Install Mechanism
There is no install specification even though the code imports third-party Python packages (requests, bs4/BeautifulSoup, pandas). Missing dependency declarations means runtime surprises. There is no external download/install step (low supply-chain risk), but the skill runs a web server and writes data to a local data directory — behavior not captured by an install manifest.
!
Credentials
The skill declares no required environment variables, yet the code contains hard-coded sensitive values: a SECRET_KEY and a SKILLPAY_API_KEY embedded in the source. Hard-coded API keys are a red flag (exposes credentials and indicates the skill will communicate with an external billing service). No justification is provided for embedding secrets or for not using environment variables. The skill also makes outbound HTTP requests to skillpay.me and arbitrary profile URLs.
Persistence & Privilege
always:false (default) and the skill does not request elevated platform privileges. It persists data in a local data directory and runs a Flask app; this is normal for a web tool but means the agent will create files and open a listening web interface if executed. That persistence is not inherently malicious but increases blast radius if combined with embedded secrets or network access.
What to consider before installing
This skill is inconsistent and risky in several ways. Before installing or running it: 1) Don't trust the embedded API key/SECRET_KEY — treat them as exposed. Ask the author to remove hard-coded secrets and require credentials via environment variables. 2) Confirm provenance and the SkillPay billing integration (whose API key is embedded) — avoid using that key; use your own account or sandbox. 3) Expect the backend to be WeChat-only and mostly simulated, despite UI claims for other platforms — request a clear feature matrix and working endpoints. 4) Run the code in an isolated sandbox (no sensitive network access, no production credentials) to inspect runtime behavior. 5) Require dependency listing (requirements.txt) and fix mismatched frontend/backend routes and obvious bugs (e.g., missing timedelta import). 6) Consider legal/ToS risks: bulk scraping social platforms may violate terms of service or copyright law. If you need a reliable scraper, ask the developer for a corrected, dependency-declared release, removal/rotation of embedded secrets, and proof that external billing/account keys are legitimate.

Like a lobster shell, security has layers — review code before you run it.

contentvk977vvs6crw1w8vnyphc7187v983g5hxlatestvk977vvs6crw1w8vnyphc7187v983g5hxmarketingvk977vvs6crw1w8vnyphc7187v983g5hxmonetizationvk977vvs6crw1w8vnyphc7187v983g5hxresearchvk977vvs6crw1w8vnyphc7187v983g5hxscrapervk977vvs6crw1w8vnyphc7187v983g5hxsocial-mediavk977vvs6crw1w8vnyphc7187v983g5hx
121downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@baolige2023
contentlatestmarketingmonetizationresearchscrapersocial-media
Download

Social Media Content Scraper Pro

Features

Bulk content extraction tool for content creators, marketers, and researchers:

  1. Bulk scraping: Input official account/profile URL, extract all historical posts/articles
  2. Multi-format export: Export to Markdown, HTML, plain text formats
  3. Full metadata extraction: Automatically extract title, publish date, views, likes, shares, cover image, tags, author info
  4. Auto deduplication: No duplicate content scraping
  5. Batch image download: Download all images from posts in one click
  6. **Local data storage, 100% safe and secure
  7. **Simple UI, no coding required

Pricing

$0.005 USDT per scrape task, or $4.99 for lifetime unlimited access. Payment powered by SkillPay.me.

How to use

  1. Complete payment verification
  2. Enter social media profile/account URL
  3. Select scraping range (all / latest N posts)
  4. Wait for scraping to complete
  5. Choose export format and download

Comments

Loading comments...