wechat hot content
ReviewAudited by ClawScan on May 11, 2026.
Overview
This skill largely matches its WeChat hot-content lookup purpose, but its helper fetches data over HTTPS with certificate checks disabled, so results and links could be tampered with in transit.
Review this skill before installing. It sends your search keywords to an external content-data API and currently disables HTTPS certificate verification, so avoid using it on untrusted networks or for sensitive queries until that is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or intermediary could tamper with article data or links shown in the generated report.
The helper performs HTTPS requests while explicitly disabling certificate and hostname validation and avoiding SNI, so the API response cannot be authenticated.
context.check_hostname = False context.verify_mode = ssl.CERT_NONE ssl_sock = context.wrap_socket(sock, server_hostname=None)
Use a standard HTTPS client with certificate validation enabled, and only add a narrowly justified, user-visible fallback if absolutely necessary.
Users may believe suggested refinement terms are data-backed when they may only be generated by the agent.
The workflow example says the agent has queried recent trends in a step where it is specifically instructed not to query data.
第一步:生成细分词(禁止调用脚本搜索数据) ... 已查询近期热门趋势,推荐以下细分方向
Reword this template to say the terms are suggested based on the user’s broad category unless a real data query has actually been run.
Search keywords and dates are sent to a third-party service, and the trustworthiness of the data source is not easy for the user to verify.
The skill sends query terms to a hardcoded external API endpoint; this is purpose-aligned, but users are not given much provenance context for that provider.
base_url = "https://onetotenvip.com/skill/cozeSkill/getWxCozeSkillData"
params = {"keyword": keyword, "source": "公众号爆款文章洞察-ClawHub"}Disclose the external data provider, its privacy expectations, and the exact data sent in the user-facing documentation.
Installing and using the skill may run bundled Python code and write local HTML/JSON output files.
The workflow relies on executing a local Python helper script. This is central to the stated purpose and is documented, but it is still local code execution.
python scripts/fetch_gzh_trends.py --keyword <关键词> --start-date <日期>
Only run it in a workspace where local report files are acceptable, and review the bundled script before use if your environment is sensitive.