by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Key points to consider before installing/using:
- The tool needs an authenticated session cookie to fetch protected pages. The SKILL.md's wording that Playwright 'gets session cookies automatically' is misleading — the script uses Playwright only to extract doc_id and does not transfer browser cookies into the requests.Session. You will usually need to supply cookies via --cookies or by editing COOKIES_RAW. Treat those cookies like passwords: only paste them into the script on machines you tru...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md align with the stated purpose: they fetch developer.work.weixin.qq.com content_md and clean it for Obsidian. Requiring a session cookie for authenticated pages is expected. However, the README/SKILL.md claim that Playwright 'obtains session cookies automatically — no manual cookie setup needed' is misleading: get_doc_id_via_playwright only extracts doc_id and does not transfer Playwright/browser cookies into the requests.Session used for the actual API POST.
⚠ 指令范围
Instructions ask users to install Playwright/Chromium and optionally paste browser cookies. The runtime SKILL.md implies Playwright will both find doc_id and handle authentication automatically; the script only uses Playwright to intercept the XHR and extract doc_id. After that, the requests.Session uses COOKIES_RAW or --cookies. This mismatch could lead users to believe no manual cookie handling is needed and either share cookies unnecessarily or fail to get content_md unexpectedly.
ℹ 安装机制
This is an instruction-only skill (no automated install spec). SKILL.md instructs users to pip install playwright and run `playwright install chromium`, which will download a ~150 MB headless Chromium binary from Playwright's release infrastructure. That download is large but expected for browser automation; there is no hidden or unusual external installer in the skill bundle itself.
ℹ 凭证需求
The skill declares no required env vars or credentials in registry metadata, which matches the code. However the tool requires session cookies for authenticated API access; those are sensitive (session id / JWT) and the script provides a COOKIES_RAW variable and a --cookies flag to accept them. Requiring cookies is proportionate to the task, but handing them to the script is a sensitive operation and should be done deliberately.
✓ 持久化与权限
The skill does not request permanent inclusion, does not modify other skills or system configuration, and does not persist beyond writing the requested markdown file. It runs as an on-demand script and does not elevate privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/22
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install wecom-doc-fetcher
镜像加速npx clawhub@latest install wecom-doc-fetcher --registry https://cn.longxiaskill.com