← Back to Skills Marketplace
98
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wechatarticle-extractor
Description
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info...
Usage Guidance
This skill mostly matches its description (it fetches and parses WeChat article pages), but take these precautions before installing or running it:
- Inspect or remove helper scripts: do not run convert.js or run-extract.js unmodified — they contain hardcoded absolute paths that will read/write files in specific user home directories. Those files look like developer convenience scripts and are not needed for normal CLI usage.
- Beware dynamic execution: scripts/extract.js uses new Function(...) to evaluate JavaScript taken from page <script> blocks. That can execute arbitrary code from the scraped page. Only run this tool on unprivileged hosts or inside a sandbox/container, and avoid feeding it URLs from untrusted sources.
- Run in an isolated environment (VM, container) and avoid running as an administrator/root user. Review which files will be written and consider changing output paths to a safe directory.
- If you need higher assurance, ask the maintainer whether the new Function usage is strictly limited to parsing static assignment expressions (and for a code comment or test showing sanitization), and request removal or disabling of developer scripts with hardcoded paths.
Given these issues, treat the skill as suspicious rather than outright malicious; it may be benign developer leftovers, but it includes risky behaviors you should address before use.
Capability Analysis
Type: OpenClaw Skill
Name: wechatarticle-extractor
Version: 1.0.0
The skill contains a significant security vulnerability in `scripts/extract.js`, where it uses `new Function()` to execute JavaScript code extracted directly from the HTML of the target WeChat article. This creates a Remote Code Execution (RCE) risk if the tool is directed to a malicious URL designed to exploit this parsing logic. Additionally, `convert.js` and `run-extract.js` contain hardcoded absolute file paths (e.g., `/Users/canghe/` and `C:/Users/xsl/`), suggesting the bundle was packaged from a local development environment without proper sanitization. While these issues represent poor security practices and high risk, there is no clear evidence of intentional malice or data exfiltration.
Capability Assessment
Purpose & Capability
The name/description and the main scripts (scripts/extract.js, bin/wechat-extract.js) match the stated purpose (fetch and parse mp.weixin.qq.com pages). However there are additional files (convert.js, run-extract.js) that read/write absolute user-specific filesystem paths and embed a concrete example URL; those files are not necessary for the core scraping capability and are unexpected.
Instruction Scope
SKILL.md and the CLI instruct only network fetch + parsing. But repository files reference local filesystem paths (e.g. convert.js reads /Users/canghe/.../tool-results/b97eb13.txt and writes to /Users/canghe/Downloads/..., run-extract.js writes to C:/Users/xsl/...), which are outside the stated scope and would access user data if executed. Also scripts/extract.js uses new Function to execute code snippets extracted from page <script> tags — this executes untrusted JS scraped from webpages.
Install Mechanism
No install spec is provided (instruction-only from platform perspective). Dependencies are standard npm libs declared in package.json (cheerio, request-promise, etc.). There is no external download or obscure installer.
Credentials
The skill does not request environment variables or credentials, which is appropriate. But the presence of hardcoded absolute paths and sample-run files that access user home directories is disproportionate to a simple extractor and could read or overwrite local files if those helper scripts are run.
Persistence & Privilege
The skill is not always-enabled and doesn't request special platform privileges. It writes output files when used (expected for a CLI tool). The concern is file writes to unexpected, hardcoded locations in some scripts rather than a generic current-directory output.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wechatarticle-extractor - After installation, invoke the skill by name or use
/wechatarticle-extractor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial major release — rewritten in Node.js for robust WeChat article extraction and CLI use.
- Add command-line interface (CLI) for article extraction to Markdown or JSON: `npx wechat-article-extractor <URL>`.
- Supports parsing WeChat article links (mp.weixin.qq.com), extracting metadata (title, author, publish time, etc.), and handling multiple article types (posts, videos, images, voices, reposts).
- Provides both CLI and programmatic (JavaScript API) usage.
- Detailed error handling with meaningful error codes and messages for various WeChat content restrictions or failures.
- Output supports Markdown, JSON, or HTML, with options for file path and format.
- Dependencies: cheerio, dayjs, request-promise, qs, lodash.unescape.
Metadata
Frequently Asked Questions
What is 微信公众号内容提取工具?
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.
How do I install 微信公众号内容提取工具?
Run "/install wechatarticle-extractor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 微信公众号内容提取工具 free?
Yes, 微信公众号内容提取工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 微信公众号内容提取工具 support?
微信公众号内容提取工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 微信公众号内容提取工具?
It is built and maintained by 雨飞 (@xls1994); the current version is v1.0.0.
More Skills