← 返回 Skills 市场
1701
总下载
5
收藏
8
当前安装
2
版本数
在 OpenClaw 中安装
/install wechat-article-extractor-skill
功能描述
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info...
安全使用建议
This package generally does what it claims — it fetches WeChat article pages and extracts metadata — but it uses new Function(...) to execute JavaScript pulled from remote pages. That makes it risky to run on untrusted input because the evaluated code could be malicious or cause resource abuse. Before installing or running: 1) Review/grep the scripts for use of new Function / eval and consider replacing evaluation with safer static parsing where possible. 2) Run npm install and npm audit locally; pin dependencies and inspect transitive deps. 3) Run the skill inside an isolated sandbox/container with restricted network egress and limited CPU/memory. 4) Do not feed it URLs that contain sensitive tokens or that point to internal resources. 5) If you need stronger assurance, ask the author for a version that avoids executing remote JS or provide a minimal repro showing why evaluation is necessary. If you cannot sandbox it, treat it as high-risk.
功能分析
Type: OpenClaw Skill
Name: wechat-article-extractor-skill
Version: 1.0.1
The skill is classified as suspicious primarily due to a critical Remote Code Execution (RCE) vulnerability in `scripts/extract.js`. It uses `new Function()` to execute JavaScript code snippets extracted directly from untrusted HTML content (WeChat articles). While the apparent intent is to parse embedded metadata, this method allows an attacker to craft a malicious WeChat article that, when processed by the skill, could execute arbitrary Node.js code on the host system if the environment is not sufficiently sandboxed. Additionally, the skill relies on the deprecated `request-promise` library, which poses a maintenance and potential security risk, and the URL validation for network requests could potentially be bypassed, leading to Server-Side Request Forgery (SSRF) if not handled carefully by the underlying `request` library.
能力评估
Purpose & Capability
Name, README, SKILL.md, and the included scripts all align: the code fetches mp.weixin.qq.com or weixin.sogou.com pages and parses metadata/content using cheerio and script parsing. Declared npm dependencies match the parsing/HTTP tasks.
Instruction Scope
The runtime code performs HTTP requests to arbitrary user-supplied URLs and parses page scripts. It constructs and runs new Function(...) on JavaScript extracted from page <script> tags to recover data (and recurses to follow transfer links). Executing code derived from remote pages is dangerous (can cause CPU/IO abuse or access globals) even if used to parse data; the SKILL.md does not warn about this or require sandboxing. The instructions don’t ask for extra credentials or system files, but the dynamic evaluation of untrusted content is scope-expanding.
Install Mechanism
No install spec is provided (instruction-only), but package.json and package-lock.json are included meaning a user will need to run npm install to use the code. The lockfile contains many transitive dependencies (some unexpected packages appear in the lockfile), but no direct download-from-URL or third-party install mechanism was found. Recommend running npm audit and installing in an isolated environment.
Credentials
The skill does not request environment variables, credentials, or system config paths. The code does not read process.env or other secrets. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It includes a .claude/settings.local.json file that references an "enabledMcpjsonServers" value (cloudbase) and a flag to enable project MCP servers — this is a local config snippet and does not by itself escalate privileges, but it is unexpected metadata and worth reviewing if you run this in a managed Claude/agent environment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-article-extractor-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-article-extractor-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Removed the convert.js file.
v1.0.0
WeChat Article Extractor v1.0.0
- Initial release.
- Extracts metadata and content from WeChat Official Account articles, covering posts, videos, images, voice messages, text, and reposts.
- Supports parsing from both direct URLs and raw HTML source.
- Provides account and article metadata (title, author, content, publish time, cover image, and more).
- Includes multiple configuration options and detailed error handling with specific error codes.
- Compatible with Sogou WeChat search results.
元数据
常见问题
微信公众号文章解析 是什么?
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1701 次。
如何安装 微信公众号文章解析?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-article-extractor-skill」即可一键安装,无需额外配置。
微信公众号文章解析 是免费的吗?
是的,微信公众号文章解析 完全免费(开源免费),可自由下载、安装和使用。
微信公众号文章解析 支持哪些平台?
微信公众号文章解析 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 微信公众号文章解析?
由 苍何(@freestylefly)开发并维护,当前版本 v1.0.1。
推荐 Skills