← Back to Skills Marketplace
643
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install wecom-doc-fetcher
Description
Fetch and convert WeChat Work developer docs pages into clean Markdown files for use in Obsidian, handling SPA content and required authentication.
Usage Guidance
Key points to consider before installing/using:
- The tool needs an authenticated session cookie to fetch protected pages. The SKILL.md's wording that Playwright 'gets session cookies automatically' is misleading — the script uses Playwright only to extract doc_id and does not transfer browser cookies into the requests.Session. You will usually need to supply cookies via --cookies or by editing COOKIES_RAW. Treat those cookies like passwords: only paste them into the script on machines you trust, and consider revoking the session after use.
- Playwright requires installing a headless Chromium (~150 MB). Install it only if you accept that download and run browser automation locally.
- The script only contacts developer.work.weixin.qq.com (no other remote endpoints). You can verify network calls by reviewing the code (fetch_doc uses a single POST to the site) or by running the script in a network-monitored/isolated environment.
- If you want the advertised 'automatic' behavior (no manual cookie paste), you or the author would need to modify the script to extract cookies from Playwright and transfer them into the requests.Session before calling the API; as-is, the documentation overpromises.
- If you are uncomfortable pasting session cookies into a script, use the manual fallback to get doc_id and then query the API using a browser-exported curl only on an environment you control, or ask the author to add Playwright cookie transfer or OAuth support. Run the script in an isolated environment (container/VM) if possible.
Capability Analysis
Type: OpenClaw Skill
Name: wecom-doc-fetcher
Version: 1.0.0
The `wx_doc_fetch.py` script contains significant vulnerabilities. It directly uses user-provided input for the output file path (`args.output`) without sanitization, leading to a file path traversal vulnerability (e.g., writing to `../../../../etc/passwd`). Additionally, the script fetches content from user-provided URLs (`args.url`) using `requests` and `playwright` without domain validation, creating a Server-Side Request Forgery (SSRF) vulnerability. Both vulnerabilities could be exploited by a malicious user through prompt injection against the OpenClaw agent, instructing it to use the skill with harmful arguments.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the stated purpose: they fetch developer.work.weixin.qq.com content_md and clean it for Obsidian. Requiring a session cookie for authenticated pages is expected. However, the README/SKILL.md claim that Playwright 'obtains session cookies automatically — no manual cookie setup needed' is misleading: get_doc_id_via_playwright only extracts doc_id and does not transfer Playwright/browser cookies into the requests.Session used for the actual API POST.
Instruction Scope
Instructions ask users to install Playwright/Chromium and optionally paste browser cookies. The runtime SKILL.md implies Playwright will both find doc_id and handle authentication automatically; the script only uses Playwright to intercept the XHR and extract doc_id. After that, the requests.Session uses COOKIES_RAW or --cookies. This mismatch could lead users to believe no manual cookie handling is needed and either share cookies unnecessarily or fail to get content_md unexpectedly.
Install Mechanism
This is an instruction-only skill (no automated install spec). SKILL.md instructs users to pip install playwright and run `playwright install chromium`, which will download a ~150 MB headless Chromium binary from Playwright's release infrastructure. That download is large but expected for browser automation; there is no hidden or unusual external installer in the skill bundle itself.
Credentials
The skill declares no required env vars or credentials in registry metadata, which matches the code. However the tool requires session cookies for authenticated API access; those are sensitive (session id / JWT) and the script provides a COOKIES_RAW variable and a --cookies flag to accept them. Requiring cookies is proportionate to the task, but handing them to the script is a sensitive operation and should be done deliberately.
Persistence & Privilege
The skill does not request permanent inclusion, does not modify other skills or system configuration, and does not persist beyond writing the requested markdown file. It runs as an on-demand script and does not elevate privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wecom-doc-fetcher - After installation, invoke the skill by name or use
/wecom-doc-fetcher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Convert WeChat Work API docs to clean Markdown via private API
Metadata
Frequently Asked Questions
What is WeChat Work Doc Fetcher?
Fetch and convert WeChat Work developer docs pages into clean Markdown files for use in Obsidian, handling SPA content and required authentication. It is an AI Agent Skill for Claude Code / OpenClaw, with 643 downloads so far.
How do I install WeChat Work Doc Fetcher?
Run "/install wecom-doc-fetcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WeChat Work Doc Fetcher free?
Yes, WeChat Work Doc Fetcher is completely free (open-source). You can download, install and use it at no cost.
Which platforms does WeChat Work Doc Fetcher support?
WeChat Work Doc Fetcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WeChat Work Doc Fetcher?
It is built and maintained by mouzhi (@mouzhi); the current version is v1.0.0.
More Skills