ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

微信公众号文章抓取

v1.0.0

Fetch complete content from WeChat public account articles (mp.weixin.qq.com). Use when extracting content from WeChat official account links, especially whe...

1· 87·0 current·0 all-time
by@ranhuang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ranhuang/ye-weixin-web-fetch.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "微信公众号文章抓取" (ranhuang/ye-weixin-web-fetch) from ClawHub.
Skill page: https://clawhub.ai/ranhuang/ye-weixin-web-fetch
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ye-weixin-web-fetch

ClawHub CLI

Package manager switcher

npx clawhub@latest install ye-weixin-web-fetch
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name and SKILL.md specifically target mp.weixin.qq.com articles, but the runtime script (weixin_fetch.py) accepts and fetches any http/https URL. validate_url only checks scheme and presence of a domain, not the domain value or whether the host is private/loopback. This mismatch is disproportionate to the stated purpose and enables requests to arbitrary hosts (including internal addresses).
!
Instruction Scope
SKILL.md instructs running the script with a WeChat article URL, which implies a narrow scope. However the code does not enforce that scope and will perform HTTP requests to any provided URL. The instructions do not warn about this expansion of scope or potential risks (e.g., accessing internal network services or metadata endpoints).
Install Mechanism
There is no install spec; the skill is instruction-plus-script. The included requirements.txt lists httpx, readability-lxml, and lxml — reasonable dependencies for HTML fetching and parsing. No third-party download URLs or extracted archives are present.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code does not read environment secrets. This is proportionate to the declared purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or persistent system settings. It is user-invokable and can be invoked autonomously (platform default), which is normal and not by itself concerning.
What to consider before installing
This skill mostly does what it says (fetch and extract WeChat article HTML), but the included Python script will fetch any http(s) URL you pass it — not just mp.weixin.qq.com. That creates a potential SSRF/internal-network access risk (e.g., accessing 169.254.169.254, localhost, or other internal services) if an attacker or misconfigured agent supplies a URL. Before installing or using this skill: - Treat it as capable of making arbitrary outbound HTTP requests. Run it in a network-isolated/sandboxed environment if you will pass untrusted URLs. - Prefer a patched version that enforces an allowlist (e.g., require hostname endswith "mp.weixin.qq.com" or a configured set of domains) and rejects IP literals, localhost, and private RFC1918 addresses. - Consider adding hostname resolution checks and preventing connections to private/internal ranges. - Audit and pin the Python dependencies from PyPI before installing. If you only intend to fetch WeChat articles, request or make a small change: enforce domain validation in validate_url or wrap the script so only permitted hostnames are accepted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978get8kn7p6zfcxca55ng3xx844nnw
87downloads
1stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@ranhuang
latest
Download

WeChat Web Fetch Skill

Features

  • Specialized for WeChat public account articles (mp.weixin.qq.com)
  • Simulates browser request with proper headers to bypass login restrictions for public articles
  • Extracts clean content and converts to Markdown format
  • Based on Readability for accurate content extraction

Requirements

  • Python 3.7+
  • httpx
  • readability-lxml

Usage

{baseDir}/scripts/weixin_fetch.py <url>

Output

Returns JSON with:

  • url: Original URL
  • final_url: Final URL after redirects
  • title: Article title
  • author: Article author (if found)
  • content: Extracted content in Markdown
  • length: Content length
  • truncated: Whether content was truncated

Examples

# Fetch a WeChat article
{baseDir}/scripts/weixin_fetch.py https://mp.weixin.qq.com/s/2o2s3owEDkZziyD0UCeq2w

Comments

Loading comments...