ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save Article Universal

v1.0.0

通用微信公众号文章保存工具。支持多种笔记应用(Obsidian、Miaoyan、Notion 等),自动抓取文章、生成摘要、保存为 Markdown。

0· 66·0 current·0 all-time
by@vlalamoon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md claim support for Notion and list a config.json.example, but the Python code does not implement a Notion save handler (SaveHandler.get_save_path handles only 'obsidian', 'miaoyan', and 'local') and there is no config example file in the manifest. This is a functional mismatch between advertised capabilities and the actual code.
Instruction Scope
Runtime instructions ask the user to create/modify a config.json and optionally set environment variables (SAVE_PATH, OBSIDIAN_VAULT_PATH, NOTION_API_KEY, etc.). The code reads those same env vars and a local config.json. The agent will run curl (via subprocess) to fetch arbitrary URLs supplied by the user — expected for the task. The SKILL.md references copying a config example that is not present in the bundle, which is a minor documentation/packaging issue to be aware of.
Install Mechanism
No install spec; this is instruction-only plus a Python script. No external binary downloads or package installations are specified by the skill bundle. Dependency usage (curl via subprocess, optional 'requests' for Notion) is consistent with an instruction-only script.
!
Credentials
Registry metadata declares no required environment variables, but the code actively reads multiple env vars (SAVE_PATH, OBSIDIAN_VAULT_PATH, NOTION_API_KEY, NOTION_DATABASE_ID, etc.). Notion credentials are accepted into config but not used by the code, which is inconsistent and could mislead users into providing sensitive keys that the package does not need or use.
Persistence & Privilege
The skill does not request elevated platform privileges or 'always: true'. It writes files to user-specified locations (default ~/Documents/Articles, possible Obsidian vault path, and an iCloud Miaoyan path). Writing to local or iCloud folders is expected for a save utility but is a capability users should be aware of.
What to consider before installing
This package is mostly a local article-saver script but has inconsistencies you should resolve before running it. Specifically: - The README/SKILL.md claim Notion support and reference config.json.example, but the code does not implement Notion syncing and the example file is not included. Ask the author or inspect/modify the code if you need Notion. - The code will read environment variables (NOTION_API_KEY, OBSIDIAN_VAULT_PATH, SAVE_PATH, etc.) even though the registry lists none. Do not export secrets like API keys to your environment for this tool unless you confirm the tool actually uses them. - The script uses curl (via subprocess) to fetch any URL you pass and will write files to your filesystem (including an iCloud path if you choose 'miaoyan'). Run it in a controlled environment first and review the source if you plan to run it on sensitive machines. If you want to proceed: (1) inspect save_article.py to confirm behavior, (2) run it with a test directory (not your real vault/iCloud), and (3) request a corrected package (add Notion implementation or remove Notion claims and include the config example) or clarification from the publisher.

Like a lobster shell, security has layers — review code before you run it.

articlevk979hk870137e0ae2vyg0j00v183e6kplatestvk979hk870137e0ae2vyg0j00v183e6kpsavevk979hk870137e0ae2vyg0j00v183e6kpwechatvk979hk870137e0ae2vyg0j00v183e6kp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments