WeChat Browser Reader
v1.0.0Read WeChat Official Account articles (mp.weixin.qq.com) via Chrome DevTools browser automation. Use when user provides a WeChat article URL and other extrac...
⭐ 0· 69·0 current·0 all-time
by反应慢@zmlgit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name, description, and runtime instructions align: the skill uses Chrome DevTools automation (navigate_page, evaluate_script, click, etc.) to load and extract WeChat article content and handle captcha/decryption. There are no unrelated requirements or surprising capabilities declared.
Instruction Scope
SKILL.md contains specific, narrowly scoped steps (open URL, click verification elements, wait for decryption, evaluate DOM for title/author/content). It does not instruct reading arbitrary files, environment variables, or sending data to third-party endpoints. The actions described are appropriate for the stated task.
Install Mechanism
There is no install spec and no code files; this is instruction-only. That minimizes disk-write and supply-chain risk. The skill expects existing OpenClaw browser tooling and a local Chrome instance with --remote-debugging enabled (documented as a prerequisite).
Credentials
Although the skill requests no environment variables or credentials, it requires connecting to Chrome's remote debugging port (9222). That connection gives the controller full access to the browser instance and its profile (cookies, local storage, active sessions, bookmarks, etc.). This is proportionate to the task only if the user runs Chrome with a dedicated, isolated profile (as the README suggests /tmp/chrome-debug-profile). If the user points the debugger at their primary browser profile or exposes the port to the network, sensitive data could be accessed or exfiltrated by scripts run via evaluate_script.
Persistence & Privilege
The skill is not always-included, does not request persistent system modifications, and has no install step. It is user-invocable and will only run when invoked. There is no indication it modifies other skills or system-wide settings.
Assessment
This skill appears to do what it says (automate a local Chrome to read WeChat articles), but it requires attaching to Chrome's remote debugging port—which effectively gives the skill full control of that browser profile. Before installing or using it: (1) only start Chrome for this skill with a dedicated temporary profile (use --user-data-dir pointing to an isolated directory) so your personal cookies and sessions are not exposed, (2) bind remote debugging to localhost and do not expose port 9222 to the network, (3) consider running Chrome in a container or VM if you want stronger isolation, (4) verify you trust the environment that provides the 'navigate_page'/'evaluate_script' tooling (those primitives can execute arbitrary JS, including reading document.cookie or other sensitive data), and (5) avoid using your main browser profile or any profile that contains authenticated sessions. If you follow these precautions the skill's behavior is coherent with its purpose; if you cannot isolate the browser instance, do not use the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97dqf7thmgdnwadjzntyrgy7x83sep2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.