← 返回 Skills 市场
2965
总下载
8
收藏
22
当前安装
4
版本数
在 OpenClaw 中安装
/install wechat-search
功能描述
Search WeChat Official Account articles using OpenClaw's web search, Tavily API, and web fetch capabilities with compliance-focused design.
安全使用建议
This skill contains mismatches and runtime assumptions you should verify before installing. Specific concerns:
- The code expects a TAVILY_API_KEY (and falls back to ~/.openclaw/tavily-config.json) but the skill metadata does not declare this required credential — if you enable the skill and set that env var it will be used by subprocesses. Only provide secrets you trust the skill to use and declare.
- The Python code invokes external binaries (node and the OpenClaw CLI) via subprocess; ensure those binaries exist and are the versions you expect. If you don't run node or OpenClaw in the environment, the skill may fail or behave unexpectedly.
- The code executes a Node.js script via an absolute path in /root/.openclaw/workspace/skills/... — that means the skill will run code from other skill workspaces. Before enabling, inspect the referenced script (search.mjs) and any other code under that path to ensure it is safe and hasn't been tampered with.
- Because the skill spawns subprocesses, it can pass environment variables to child processes. Avoid installing it in environments containing sensitive credentials unless you audited the invoked scripts.
Recommended actions:
- Ask the publisher to update the registry metadata and SKILL.md to explicitly declare required env vars (TAVILY_API_KEY), required binaries (node, openclaw), and any expected config file paths.
- Inspect the referenced Node script (/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs) and confirm its provenance before allowing the skill to run it.
- If possible, run the skill in a sandboxed environment (container) without access to sensitive environment variables or host files until you are comfortable.
- If you cannot inspect or sandbox the invoked Node script and you need to keep your environment sealed, do not install or enable this skill.
Confidence: high — the mismatch between declared metadata/instructions and the actual code paths (undisclosed env var use, subprocess execution of other-skill scripts, absolute paths) is clear and material.
功能分析
Type: OpenClaw Skill
Name: wechat-search
Version: 1.0.3
The skill uses `subprocess.run` in `wechat_search.py`, `wechat_search_fixed.py`, and `wechat_search_simple.py` to execute external scripts and OpenClaw tools. Specifically, it calls `node /root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs` for Tavily search and `openclaw tool web_fetch` for direct web scraping. While these actions are plausibly aligned with the stated purpose of a multi-layer search strategy and arguments are passed as lists (reducing direct shell injection risk), the use of `subprocess.run` to execute arbitrary external scripts (even if internal to the OpenClaw ecosystem) represents a powerful capability that warrants a 'suspicious' classification due to its inherent risk, without clear evidence of intentional malicious behavior.
能力评估
Purpose & Capability
The description and SKILL.md claim use of OpenClaw web tools and Tavily as optional, but the packaged Python code actually requires a TAVILY_API_KEY, invokes Node.js scripts, and calls the 'openclaw' CLI. The registry metadata lists no required env vars or binaries, so the actual capabilities (need for Node and OpenClaw CLI, and access to Tavily) are not reflected in the declared requirements. The code also hardcodes absolute paths (/root/.openclaw/workspace/skills/...), which implies cross-skill or privileged assumptions that don't match the stated purpose.
Instruction Scope
SKILL.md describes a three-layer strategy and mentions web_search/web_fetch tools and optional API keys, but the code performs additional actions not clearly documented: it reads ~/.openclaw/tavily-config.json as a fallback, and directly executes a Node.js script at an absolute workspace path. The instructions do not document executing other skills' scripts or requiring Node/OpenClaw binaries, giving the agent broader runtime actions than advertised.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the skill bundle itself. That lowers disk-write risk. However, the runtime relies on external binaries (node, openclaw) being present; those are not installed by the skill.
Credentials
The package metadata declares no required environment variables, yet multiple code paths demand TAVILY_API_KEY (and attempt to load it from ~/.openclaw/tavily-config.json). This is a mismatch: a credential is effectively required but not declared. The skill also inherits the process environment when invoking subprocesses, so it could leak additional env vars to child processes if present.
Persistence & Privilege
The skill is not marked always:true and does not persistently modify system config, which is good. However it executes other-skill code by invoking a hardcoded Node script in /root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs and calls the OpenClaw CLI; this means it assumes and acts on workspace files belonging to other skills/runtime and can execute arbitrary code there. Accessing/executing other skills' files is a cross-skill privilege that the SKILL.md and metadata do not disclose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- Added Tavily Search API as a secondary search option, expanding from a two-layer to a three-layer search strategy.
- Updated documentation to reflect the new search order: primary (Brave Search), secondary (Tavily), fallback (direct web fetch).
- Improved fallback logic and error handling, ensuring graceful degradation across all three strategies.
- Added example for forcing a specific search strategy in the command-line usage.
- Enhanced compliance documentation to clarify API key usage and strategy details.
v1.0.2
- Removed all test files and test configuration (run_tests.py and tests/ directory).
- Updated README.md and requirements.txt (details not provided).
- No changes to core functionality.
v1.0.1
- Added a complete test suite, including unit and debug test scripts and configuration files.
- Enhanced maintainability and reliability by introducing automated testing.
- Updated documentation and dependencies to reflect new testing capabilities.
v1.0.0
Initial release of wechat-search skill.
- Search WeChat Official Account (微信公众号) articles using a compliant, two-layer strategy (web search first, respectful web-fetch fallback).
- Supports recency and date range filters; returns up to 20 results, 5 by default.
- Multiple output formats: text, JSON, and markdown.
- Respects robots.txt, uses clear User-Agent, follows rate limiting, and only accesses public content.
- Requires OpenClaw web tools; optional Tavily API integration for search.
- Includes robust error handling with retries and graceful fallback between search methods.
元数据
常见问题
Wechat Search 是什么?
Search WeChat Official Account articles using OpenClaw's web search, Tavily API, and web fetch capabilities with compliance-focused design. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2965 次。
如何安装 Wechat Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-search」即可一键安装,无需额外配置。
Wechat Search 是免费的吗?
是的,Wechat Search 完全免费(开源免费),可自由下载、安装和使用。
Wechat Search 支持哪些平台?
Wechat Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wechat Search?
由 Jixson(@jixsonwang)开发并维护,当前版本 v1.0.3。
推荐 Skills