← Back to Skills Marketplace
2965
Downloads
8
Stars
22
Active Installs
4
Versions
Install in OpenClaw
/install wechat-search
Description
Search WeChat Official Account articles using OpenClaw's web search, Tavily API, and web fetch capabilities with compliance-focused design.
Usage Guidance
This skill contains mismatches and runtime assumptions you should verify before installing. Specific concerns:
- The code expects a TAVILY_API_KEY (and falls back to ~/.openclaw/tavily-config.json) but the skill metadata does not declare this required credential — if you enable the skill and set that env var it will be used by subprocesses. Only provide secrets you trust the skill to use and declare.
- The Python code invokes external binaries (node and the OpenClaw CLI) via subprocess; ensure those binaries exist and are the versions you expect. If you don't run node or OpenClaw in the environment, the skill may fail or behave unexpectedly.
- The code executes a Node.js script via an absolute path in /root/.openclaw/workspace/skills/... — that means the skill will run code from other skill workspaces. Before enabling, inspect the referenced script (search.mjs) and any other code under that path to ensure it is safe and hasn't been tampered with.
- Because the skill spawns subprocesses, it can pass environment variables to child processes. Avoid installing it in environments containing sensitive credentials unless you audited the invoked scripts.
Recommended actions:
- Ask the publisher to update the registry metadata and SKILL.md to explicitly declare required env vars (TAVILY_API_KEY), required binaries (node, openclaw), and any expected config file paths.
- Inspect the referenced Node script (/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs) and confirm its provenance before allowing the skill to run it.
- If possible, run the skill in a sandboxed environment (container) without access to sensitive environment variables or host files until you are comfortable.
- If you cannot inspect or sandbox the invoked Node script and you need to keep your environment sealed, do not install or enable this skill.
Confidence: high — the mismatch between declared metadata/instructions and the actual code paths (undisclosed env var use, subprocess execution of other-skill scripts, absolute paths) is clear and material.
Capability Analysis
Type: OpenClaw Skill
Name: wechat-search
Version: 1.0.3
The skill uses `subprocess.run` in `wechat_search.py`, `wechat_search_fixed.py`, and `wechat_search_simple.py` to execute external scripts and OpenClaw tools. Specifically, it calls `node /root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs` for Tavily search and `openclaw tool web_fetch` for direct web scraping. While these actions are plausibly aligned with the stated purpose of a multi-layer search strategy and arguments are passed as lists (reducing direct shell injection risk), the use of `subprocess.run` to execute arbitrary external scripts (even if internal to the OpenClaw ecosystem) represents a powerful capability that warrants a 'suspicious' classification due to its inherent risk, without clear evidence of intentional malicious behavior.
Capability Assessment
Purpose & Capability
The description and SKILL.md claim use of OpenClaw web tools and Tavily as optional, but the packaged Python code actually requires a TAVILY_API_KEY, invokes Node.js scripts, and calls the 'openclaw' CLI. The registry metadata lists no required env vars or binaries, so the actual capabilities (need for Node and OpenClaw CLI, and access to Tavily) are not reflected in the declared requirements. The code also hardcodes absolute paths (/root/.openclaw/workspace/skills/...), which implies cross-skill or privileged assumptions that don't match the stated purpose.
Instruction Scope
SKILL.md describes a three-layer strategy and mentions web_search/web_fetch tools and optional API keys, but the code performs additional actions not clearly documented: it reads ~/.openclaw/tavily-config.json as a fallback, and directly executes a Node.js script at an absolute workspace path. The instructions do not document executing other skills' scripts or requiring Node/OpenClaw binaries, giving the agent broader runtime actions than advertised.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the skill bundle itself. That lowers disk-write risk. However, the runtime relies on external binaries (node, openclaw) being present; those are not installed by the skill.
Credentials
The package metadata declares no required environment variables, yet multiple code paths demand TAVILY_API_KEY (and attempt to load it from ~/.openclaw/tavily-config.json). This is a mismatch: a credential is effectively required but not declared. The skill also inherits the process environment when invoking subprocesses, so it could leak additional env vars to child processes if present.
Persistence & Privilege
The skill is not marked always:true and does not persistently modify system config, which is good. However it executes other-skill code by invoking a hardcoded Node script in /root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs and calls the OpenClaw CLI; this means it assumes and acts on workspace files belonging to other skills/runtime and can execute arbitrary code there. Accessing/executing other skills' files is a cross-skill privilege that the SKILL.md and metadata do not disclose.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wechat-search - After installation, invoke the skill by name or use
/wechat-search - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
- Added Tavily Search API as a secondary search option, expanding from a two-layer to a three-layer search strategy.
- Updated documentation to reflect the new search order: primary (Brave Search), secondary (Tavily), fallback (direct web fetch).
- Improved fallback logic and error handling, ensuring graceful degradation across all three strategies.
- Added example for forcing a specific search strategy in the command-line usage.
- Enhanced compliance documentation to clarify API key usage and strategy details.
v1.0.2
- Removed all test files and test configuration (run_tests.py and tests/ directory).
- Updated README.md and requirements.txt (details not provided).
- No changes to core functionality.
v1.0.1
- Added a complete test suite, including unit and debug test scripts and configuration files.
- Enhanced maintainability and reliability by introducing automated testing.
- Updated documentation and dependencies to reflect new testing capabilities.
v1.0.0
Initial release of wechat-search skill.
- Search WeChat Official Account (微信公众号) articles using a compliant, two-layer strategy (web search first, respectful web-fetch fallback).
- Supports recency and date range filters; returns up to 20 results, 5 by default.
- Multiple output formats: text, JSON, and markdown.
- Respects robots.txt, uses clear User-Agent, follows rate limiting, and only accesses public content.
- Requires OpenClaw web tools; optional Tavily API integration for search.
- Includes robust error handling with retries and graceful fallback between search methods.
Metadata
Frequently Asked Questions
What is Wechat Search?
Search WeChat Official Account articles using OpenClaw's web search, Tavily API, and web fetch capabilities with compliance-focused design. It is an AI Agent Skill for Claude Code / OpenClaw, with 2965 downloads so far.
How do I install Wechat Search?
Run "/install wechat-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wechat Search free?
Yes, Wechat Search is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Wechat Search support?
Wechat Search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wechat Search?
It is built and maintained by Jixson (@jixsonwang); the current version is v1.0.3.
More Skills