📦 WeChat Article Parser — 公众号文章解析
v1.0.1一键解析微信公众号文章,精准提取标题、作者、发布时间、正文及封面图,支持 mp.weixin.qq.com 链接,自动清洗排版,输出结构化 JSON,方便二次编辑、归档或 RSS 订阅。
5· 1.6k·7 当前·10 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to implement the described WeChat article extraction functionality, but it executes JavaScript extracted from remote pages (via new Function) and fetches arbitrary URLs — a risky pattern that warrants caution before installing or running it in production.
评估建议
This package generally does what it claims — it fetches WeChat article pages and extracts metadata — but it uses new Function(...) to execute JavaScript pulled from remote pages. That makes it risky to run on untrusted input because the evaluated code could be malicious or cause resource abuse. Before installing or running: 1) Review/grep the scripts for use of new Function / eval and consider replacing evaluation with safer static parsing where possible. 2) Run npm install and npm audit locally...详细分析 ▾
✓ 用途与能力
Name, README, SKILL.md, and the included scripts all align: the code fetches mp.weixin.qq.com or weixin.sogou.com pages and parses metadata/content using cheerio and script parsing. Declared npm dependencies match the parsing/HTTP tasks.
⚠ 指令范围
The runtime code performs HTTP requests to arbitrary user-supplied URLs and parses page scripts. It constructs and runs new Function(...) on JavaScript extracted from page <script> tags to recover data (and recurses to follow transfer links). Executing code derived from remote pages is dangerous (can cause CPU/IO abuse or access globals) even if used to parse data; the SKILL.md does not warn about this or require sandboxing. The instructions don’t ask for extra credentials or system files, but the dynamic evaluation of untrusted content is scope-expanding.
ℹ 安装机制
No install spec is provided (instruction-only), but package.json and package-lock.json are included meaning a user will need to run npm install to use the code. The lockfile contains many transitive dependencies (some unexpected packages appear in the lockfile), but no direct download-from-URL or third-party install mechanism was found. Recommend running npm audit and installing in an isolated environment.
✓ 凭证需求
The skill does not request environment variables, credentials, or system config paths. The code does not read process.env or other secrets. This is proportionate to the stated purpose.
ℹ 持久化与权限
The skill is not always-enabled and is user-invocable (normal). It includes a .claude/settings.local.json file that references an "enabledMcpjsonServers" value (cloudbase) and a flag to enable project MCP servers — this is a local config snippet and does not by itself escalate privileges, but it is unexpected metadata and worth reviewing if you run this in a managed Claude/agent environment.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/19
- Removed the convert.js file.
● 可疑
安装命令
点击复制官方npx clawhub@latest install wechat-article-extractor-skill
镜像加速npx clawhub@latest install wechat-article-extractor-skill --registry https://cn.longxiaskill.com