← 返回 Skills 市场
98
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wechatarticle-extractor
功能描述
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info...
安全使用建议
This skill mostly matches its description (it fetches and parses WeChat article pages), but take these precautions before installing or running it:
- Inspect or remove helper scripts: do not run convert.js or run-extract.js unmodified — they contain hardcoded absolute paths that will read/write files in specific user home directories. Those files look like developer convenience scripts and are not needed for normal CLI usage.
- Beware dynamic execution: scripts/extract.js uses new Function(...) to evaluate JavaScript taken from page <script> blocks. That can execute arbitrary code from the scraped page. Only run this tool on unprivileged hosts or inside a sandbox/container, and avoid feeding it URLs from untrusted sources.
- Run in an isolated environment (VM, container) and avoid running as an administrator/root user. Review which files will be written and consider changing output paths to a safe directory.
- If you need higher assurance, ask the maintainer whether the new Function usage is strictly limited to parsing static assignment expressions (and for a code comment or test showing sanitization), and request removal or disabling of developer scripts with hardcoded paths.
Given these issues, treat the skill as suspicious rather than outright malicious; it may be benign developer leftovers, but it includes risky behaviors you should address before use.
功能分析
Type: OpenClaw Skill
Name: wechatarticle-extractor
Version: 1.0.0
The skill contains a significant security vulnerability in `scripts/extract.js`, where it uses `new Function()` to execute JavaScript code extracted directly from the HTML of the target WeChat article. This creates a Remote Code Execution (RCE) risk if the tool is directed to a malicious URL designed to exploit this parsing logic. Additionally, `convert.js` and `run-extract.js` contain hardcoded absolute file paths (e.g., `/Users/canghe/` and `C:/Users/xsl/`), suggesting the bundle was packaged from a local development environment without proper sanitization. While these issues represent poor security practices and high risk, there is no clear evidence of intentional malice or data exfiltration.
能力评估
Purpose & Capability
The name/description and the main scripts (scripts/extract.js, bin/wechat-extract.js) match the stated purpose (fetch and parse mp.weixin.qq.com pages). However there are additional files (convert.js, run-extract.js) that read/write absolute user-specific filesystem paths and embed a concrete example URL; those files are not necessary for the core scraping capability and are unexpected.
Instruction Scope
SKILL.md and the CLI instruct only network fetch + parsing. But repository files reference local filesystem paths (e.g. convert.js reads /Users/canghe/.../tool-results/b97eb13.txt and writes to /Users/canghe/Downloads/..., run-extract.js writes to C:/Users/xsl/...), which are outside the stated scope and would access user data if executed. Also scripts/extract.js uses new Function to execute code snippets extracted from page <script> tags — this executes untrusted JS scraped from webpages.
Install Mechanism
No install spec is provided (instruction-only from platform perspective). Dependencies are standard npm libs declared in package.json (cheerio, request-promise, etc.). There is no external download or obscure installer.
Credentials
The skill does not request environment variables or credentials, which is appropriate. But the presence of hardcoded absolute paths and sample-run files that access user home directories is disproportionate to a simple extractor and could read or overwrite local files if those helper scripts are run.
Persistence & Privilege
The skill is not always-enabled and doesn't request special platform privileges. It writes output files when used (expected for a CLI tool). The concern is file writes to unexpected, hardcoded locations in some scripts rather than a generic current-directory output.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechatarticle-extractor - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechatarticle-extractor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial major release — rewritten in Node.js for robust WeChat article extraction and CLI use.
- Add command-line interface (CLI) for article extraction to Markdown or JSON: `npx wechat-article-extractor <URL>`.
- Supports parsing WeChat article links (mp.weixin.qq.com), extracting metadata (title, author, publish time, etc.), and handling multiple article types (posts, videos, images, voices, reposts).
- Provides both CLI and programmatic (JavaScript API) usage.
- Detailed error handling with meaningful error codes and messages for various WeChat content restrictions or failures.
- Output supports Markdown, JSON, or HTML, with options for file path and format.
- Dependencies: cheerio, dayjs, request-promise, qs, lodash.unescape.
元数据
常见问题
微信公众号内容提取工具 是什么?
Extract metadata and content from WeChat Official Account articles. Use when user needs to parse WeChat article URLs (mp.weixin.qq.com), extract article info... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 98 次。
如何安装 微信公众号内容提取工具?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechatarticle-extractor」即可一键安装,无需额外配置。
微信公众号内容提取工具 是免费的吗?
是的,微信公众号内容提取工具 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
微信公众号内容提取工具 支持哪些平台?
微信公众号内容提取工具 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 微信公众号内容提取工具?
由 雨飞(@xls1994)开发并维护,当前版本 v1.0.0。
推荐 Skills