Search WeChat Official Account articles using OpenClaw's web search and fetch capabilities with compliance-focused design.
Security Analysis
medium confidenceThe skill's code and instructions largely match its stated purpose, but there are multiple mismatches between the SKILL.md claims and the manifest/code (undeclared tool dependency, unimplemented compliance checks, and undocumented optional credentials) that warrant caution before installing.
The skill claims to operate via OpenClaw's web_search and web_fetch tools (SKILL.md and code call 'openclaw tool ...'), but the registry metadata lists no required binaries or primary credential. The skill therefore depends on an external 'openclaw' CLI binary that is not declared in the manifest. That is an incoherence: a search skill legitimately needs the OpenClaw tools, but the manifest should declare that requirement so users know the runtime dependency and permission surface.
SKILL.md promises robots.txt respect, rate limiting, explicit User-Agent, and 'no data retention'. The Python implementation does expose a request_delay_ms config and a User-Agent string in examples, but it does not itself check robots.txt or enforce delays (it delegates network work to the external 'openclaw' tools). parse_fetch_results is a placeholder and returns an empty list, so some advertised functionality (web_fetch parsing) is unimplemented. The SKILL.md also instructs creating ~/.openclaw/wechat-search-config.json, but the code only loads a config file if passed via --config (it doesn't automatically look in that path), another mismatch.
There is no install spec (instruction-only), which is low-risk, but the package includes code (wechat_search.py) and requirements.txt without providing an install step. The missing declaration that 'openclaw' CLI is required is an operational gap: users may try to run the script expecting it to work without installing the external tools. No remote downloads or strange install URLs are present.
SKILL.md mentions an optional Tavily API Key for enhanced search capabilities, but the manifest's required env list is empty and the code does not read any environment variables. This is an undocumented credential expectation. While no credentials are explicitly requested by the manifest, the skill will attempt to call external tools that may themselves require credentials—this indirection is not declared and increases the attack surface because the skill's behavior depends on external tool configuration.
The skill is not marked always:true and doesn't request system-wide configuration changes. It does not persist data to disk in the provided code (it reads an optional config file only if supplied). No elevated or persistent privileges are requested by the manifest.
Guidance
This skill appears to implement a reasonable WeChat search helper, but there are several mismatches you should resolve before installing: (1) The code calls an external 'openclaw' CLI (web_search/web_fetch) but the manifest does not declare that binary requirement — ensure you trust and inspect the 'openclaw' tool and know where it comes from. (2) SKILL.md promises robots.txt respect and rate limiting, but the Python code delegates network access to the external tools and does not implement robots.txt checks or enforced delays itself; verify the external tools actually implement those compliance behaviors. (3) An optional Tavily API key is mentioned but not declared or read by the code—confirm whether you must supply credentials and how they will be used. (4) The web_fetch parsing is marked as not implemented; expect reduced functionality until that is completed. Recommended actions: run the skill in a sandbox, inspect and verify the 'openclaw' CLI binary and any third-party tools it invokes, add/require explicit declarations for needed binaries and environment variables, and only grant credentials after confirming they are necessary and used as described.
Latest Release
v1.0.3
Version 1.0.3 of wechat-search-release - No file changes detected in this release. - No updates to features, documentation, or configuration. - Functionality remains consistent with the previous version.
More by @jixsonwang
Published by @jixsonwang on ClawHub
