← Back to Skills Marketplace
1701
Downloads
5
Stars
8
Active Installs
2
Versions
Install in OpenClaw
/install wechat-article-extractor-skill
Description
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info...
Usage Guidance
This package generally does what it claims — it fetches WeChat article pages and extracts metadata — but it uses new Function(...) to execute JavaScript pulled from remote pages. That makes it risky to run on untrusted input because the evaluated code could be malicious or cause resource abuse. Before installing or running: 1) Review/grep the scripts for use of new Function / eval and consider replacing evaluation with safer static parsing where possible. 2) Run npm install and npm audit locally; pin dependencies and inspect transitive deps. 3) Run the skill inside an isolated sandbox/container with restricted network egress and limited CPU/memory. 4) Do not feed it URLs that contain sensitive tokens or that point to internal resources. 5) If you need stronger assurance, ask the author for a version that avoids executing remote JS or provide a minimal repro showing why evaluation is necessary. If you cannot sandbox it, treat it as high-risk.
Capability Analysis
Type: OpenClaw Skill
Name: wechat-article-extractor-skill
Version: 1.0.1
The skill is classified as suspicious primarily due to a critical Remote Code Execution (RCE) vulnerability in `scripts/extract.js`. It uses `new Function()` to execute JavaScript code snippets extracted directly from untrusted HTML content (WeChat articles). While the apparent intent is to parse embedded metadata, this method allows an attacker to craft a malicious WeChat article that, when processed by the skill, could execute arbitrary Node.js code on the host system if the environment is not sufficiently sandboxed. Additionally, the skill relies on the deprecated `request-promise` library, which poses a maintenance and potential security risk, and the URL validation for network requests could potentially be bypassed, leading to Server-Side Request Forgery (SSRF) if not handled carefully by the underlying `request` library.
Capability Assessment
Purpose & Capability
Name, README, SKILL.md, and the included scripts all align: the code fetches mp.weixin.qq.com or weixin.sogou.com pages and parses metadata/content using cheerio and script parsing. Declared npm dependencies match the parsing/HTTP tasks.
Instruction Scope
The runtime code performs HTTP requests to arbitrary user-supplied URLs and parses page scripts. It constructs and runs new Function(...) on JavaScript extracted from page <script> tags to recover data (and recurses to follow transfer links). Executing code derived from remote pages is dangerous (can cause CPU/IO abuse or access globals) even if used to parse data; the SKILL.md does not warn about this or require sandboxing. The instructions don’t ask for extra credentials or system files, but the dynamic evaluation of untrusted content is scope-expanding.
Install Mechanism
No install spec is provided (instruction-only), but package.json and package-lock.json are included meaning a user will need to run npm install to use the code. The lockfile contains many transitive dependencies (some unexpected packages appear in the lockfile), but no direct download-from-URL or third-party install mechanism was found. Recommend running npm audit and installing in an isolated environment.
Credentials
The skill does not request environment variables, credentials, or system config paths. The code does not read process.env or other secrets. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It includes a .claude/settings.local.json file that references an "enabledMcpjsonServers" value (cloudbase) and a flag to enable project MCP servers — this is a local config snippet and does not by itself escalate privileges, but it is unexpected metadata and worth reviewing if you run this in a managed Claude/agent environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wechat-article-extractor-skill - After installation, invoke the skill by name or use
/wechat-article-extractor-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Removed the convert.js file.
v1.0.0
WeChat Article Extractor v1.0.0
- Initial release.
- Extracts metadata and content from WeChat Official Account articles, covering posts, videos, images, voice messages, text, and reposts.
- Supports parsing from both direct URLs and raw HTML source.
- Provides account and article metadata (title, author, content, publish time, cover image, and more).
- Includes multiple configuration options and detailed error handling with specific error codes.
- Compatible with Sogou WeChat search results.
Metadata
Frequently Asked Questions
What is 微信公众号文章解析?
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info... It is an AI Agent Skill for Claude Code / OpenClaw, with 1701 downloads so far.
How do I install 微信公众号文章解析?
Run "/install wechat-article-extractor-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 微信公众号文章解析 free?
Yes, 微信公众号文章解析 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 微信公众号文章解析 support?
微信公众号文章解析 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 微信公众号文章解析?
It is built and maintained by 苍何 (@freestylefly); the current version is v1.0.1.
More Skills