← 返回 Skills 市场
643
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install wecom-doc-fetcher
功能描述
Fetch and convert WeChat Work developer docs pages into clean Markdown files for use in Obsidian, handling SPA content and required authentication.
安全使用建议
Key points to consider before installing/using:
- The tool needs an authenticated session cookie to fetch protected pages. The SKILL.md's wording that Playwright 'gets session cookies automatically' is misleading — the script uses Playwright only to extract doc_id and does not transfer browser cookies into the requests.Session. You will usually need to supply cookies via --cookies or by editing COOKIES_RAW. Treat those cookies like passwords: only paste them into the script on machines you trust, and consider revoking the session after use.
- Playwright requires installing a headless Chromium (~150 MB). Install it only if you accept that download and run browser automation locally.
- The script only contacts developer.work.weixin.qq.com (no other remote endpoints). You can verify network calls by reviewing the code (fetch_doc uses a single POST to the site) or by running the script in a network-monitored/isolated environment.
- If you want the advertised 'automatic' behavior (no manual cookie paste), you or the author would need to modify the script to extract cookies from Playwright and transfer them into the requests.Session before calling the API; as-is, the documentation overpromises.
- If you are uncomfortable pasting session cookies into a script, use the manual fallback to get doc_id and then query the API using a browser-exported curl only on an environment you control, or ask the author to add Playwright cookie transfer or OAuth support. Run the script in an isolated environment (container/VM) if possible.
功能分析
Type: OpenClaw Skill
Name: wecom-doc-fetcher
Version: 1.0.0
The `wx_doc_fetch.py` script contains significant vulnerabilities. It directly uses user-provided input for the output file path (`args.output`) without sanitization, leading to a file path traversal vulnerability (e.g., writing to `../../../../etc/passwd`). Additionally, the script fetches content from user-provided URLs (`args.url`) using `requests` and `playwright` without domain validation, creating a Server-Side Request Forgery (SSRF) vulnerability. Both vulnerabilities could be exploited by a malicious user through prompt injection against the OpenClaw agent, instructing it to use the skill with harmful arguments.
能力评估
Purpose & Capability
The code and SKILL.md align with the stated purpose: they fetch developer.work.weixin.qq.com content_md and clean it for Obsidian. Requiring a session cookie for authenticated pages is expected. However, the README/SKILL.md claim that Playwright 'obtains session cookies automatically — no manual cookie setup needed' is misleading: get_doc_id_via_playwright only extracts doc_id and does not transfer Playwright/browser cookies into the requests.Session used for the actual API POST.
Instruction Scope
Instructions ask users to install Playwright/Chromium and optionally paste browser cookies. The runtime SKILL.md implies Playwright will both find doc_id and handle authentication automatically; the script only uses Playwright to intercept the XHR and extract doc_id. After that, the requests.Session uses COOKIES_RAW or --cookies. This mismatch could lead users to believe no manual cookie handling is needed and either share cookies unnecessarily or fail to get content_md unexpectedly.
Install Mechanism
This is an instruction-only skill (no automated install spec). SKILL.md instructs users to pip install playwright and run `playwright install chromium`, which will download a ~150 MB headless Chromium binary from Playwright's release infrastructure. That download is large but expected for browser automation; there is no hidden or unusual external installer in the skill bundle itself.
Credentials
The skill declares no required env vars or credentials in registry metadata, which matches the code. However the tool requires session cookies for authenticated API access; those are sensitive (session id / JWT) and the script provides a COOKIES_RAW variable and a --cookies flag to accept them. Requiring cookies is proportionate to the task, but handing them to the script is a sensitive operation and should be done deliberately.
Persistence & Privilege
The skill does not request permanent inclusion, does not modify other skills or system configuration, and does not persist beyond writing the requested markdown file. It runs as an on-demand script and does not elevate privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wecom-doc-fetcher - 安装完成后,直接呼叫该 Skill 的名称或使用
/wecom-doc-fetcher触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Convert WeChat Work API docs to clean Markdown via private API
元数据
常见问题
WeChat Work Doc Fetcher 是什么?
Fetch and convert WeChat Work developer docs pages into clean Markdown files for use in Obsidian, handling SPA content and required authentication. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 643 次。
如何安装 WeChat Work Doc Fetcher?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wecom-doc-fetcher」即可一键安装,无需额外配置。
WeChat Work Doc Fetcher 是免费的吗?
是的,WeChat Work Doc Fetcher 完全免费(开源免费),可自由下载、安装和使用。
WeChat Work Doc Fetcher 支持哪些平台?
WeChat Work Doc Fetcher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 WeChat Work Doc Fetcher?
由 mouzhi(@mouzhi)开发并维护,当前版本 v1.0.0。
推荐 Skills