Wechat Article Search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: wechat-article-search Version: 0.1.0 The skill bundle is classified as suspicious due to a file write vulnerability in `scripts/search_wechat.js`. The script allows writing search results to an arbitrary file path specified by the user via the `-o` or `--output` command-line argument. This lack of input sanitization for the output path could lead to path traversal, allowing an attacker to write data to unintended locations on the file system. While the content written is the script's own output (JSON search results), the ability to control the write location is a significant vulnerability. The `SKILL.md` instructions are benign and the core web scraping functionality is aligned with the stated purpose, contacting legitimate Sogou domains.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global npm package changes the user's Node environment and depends on npm package provenance.
The skill relies on an unpinned npm dependency and suggests global installation, while the registry metadata does not declare required binaries or an install spec.
该脚本依赖NodeJS依赖包 `cheerio`,建议先执行全局安装或在项目中安装: ```bash npm install -g cheerio ```
Prefer a local project install, pin the dependency version when possible, and install only from the official npm registry.
The user's network/IP may be used for scraping-like activity, which could run into site rate limits, terms-of-use restrictions, or IP blocking.
The script intentionally randomizes browser User-Agent headers for its web requests, which is aligned with the scraper/search purpose but is still behavior users should understand.
// 可配置 User-Agent 池(固定 20 个),每次请求随机选一个,避免固定 UA
Use the skill sparingly, avoid bulk crawling, and follow the target sites' terms and rate limits.
Search keywords and link-resolution activity may be visible to external services.
The script sends requests to external Sogou/Weixin endpoints to perform searches and resolve article links.
'Host': 'weixin.sogou.com', 'Referer': 'https://weixin.sogou.com/'
Avoid using confidential or sensitive search terms, and be aware that resolving real URLs may generate additional external requests.