中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 10/100
Last scan:2 days ago Rescan
10 /100
wechat-content-studio
微信公众号内容工作室 — 多来源权威搜索、多站点文章抓取、AI改写、封面生成、智能排版发布一站式工具
WeChat content studio skill performs standard web scraping, AI rewriting, and publishing — all capabilities are declared, all network calls are to legitimate documented services, and there is no malicious behavior.
Skill Namewechat-content-studio
Duration79.1s
Enginepi
Safe to install
No action required. The skill is a legitimate content creation tool.

Findings 3 items

Severity Finding Location
Info
Pre-scan false positive: 'hardcoded IP 125.0.0.0'
The pre-scan flagged line 49 of multi_source_search.js as containing hardcoded IP '125.0.0.0'. This is a false positive — the string is 'Chrome/125.0.0.0', which is a Chrome browser version number inside a User-Agent constant, not an IP address.
'Mozilla/5.0 ... Chrome/125.0.0.0 Safari/537.36'
→ No action needed. Suppress this pre-scan finding as a false positive.
 scripts/search/multi_source_search.js:49
Low
Shell execution via execSync not explicitly declared in SKILL.md
SKILL.md lists Bash as an allowed tool and documents CLI dependencies (wenyan-cli, uvx browser-use, pip install) but does not explicitly document the execSync Python script invocations in main.js. This is a documentation gap but not a security violation since the executed commands are documented as required external skills (wechat-typeset-pro, multi-site-extractor).
execSync(cmd, { stdio: 'inherit', env: process.env })
→ Consider adding execSync usage to SKILL.md for full transparency, but the behavior is legitimate.
 scripts/main.js:1024
Low
Proxy default to localhost port 7890
PROXY_URL defaults to 'http://127.0.0.1:7890' (a common Clash/V2Ray proxy port) when no HTTPS_PROXY is set. This is expected for a China-based tool but means the skill will silently fail if no proxy is available.
|| 'http://127.0.0.1:7890';
→ Document the proxy requirement in SKILL.md or make it fail explicitly rather than silently.
 scripts/search/multi_source_search.js:27
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares Bash+Read+Write; writes to ~/WorkBuddy/ and skill directories
Network READ READ ✓ Aligned All network calls are to documented services: Brave Search, HN Algolia API, GitH…
Shell WRITE WRITE ✓ Aligned execSync calls Python scripts for wechat-typeset-pro and multi-site-extractor; S…
Environment NONE READ ✓ Aligned Reads WECHAT_APP_ID, WECHAT_APP_SECRET, DASHSCOPE_API_KEY, OPENAI_API_KEY — all …
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation; browser-use is an optional external dependency for manual…
Database NONE NONE No database access found
Skill Invoke NONE NONE References external skills (wechat-typeset-pro, multi-site-extractor) by path bu…
1 High 63 findings
📡
High IP Address 硬编码 IP 地址
125.0.0.0
scripts/search/multi_source_search.js:49
🔗
Medium External URL 外部 URL
http://127.0.0.1:7890
SKILL.md:176
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/agent-base/-/agent-base-7.1.4.tgz
package-lock.json:20
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz
package-lock.json:29
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/axios/-/axios-1.14.0.tgz
package-lock.json:35
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/boolbase/-/boolbase-1.0.0.tgz
package-lock.json:46
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz
package-lock.json:52
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cheerio/-/cheerio-1.2.0.tgz
package-lock.json:65
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cheerio-select/-/cheerio-select-2.1.0.tgz
package-lock.json:90
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz
package-lock.json:107
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/commander/-/commander-11.1.0.tgz
package-lock.json:119
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/css-select/-/css-select-5.2.2.tgz
package-lock.json:128
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/css-what/-/css-what-6.2.2.tgz
package-lock.json:144
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz
package-lock.json:156
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz
package-lock.json:173
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/dom-serializer/-/dom-serializer-2.0.0.tgz
package-lock.json:182
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/domelementtype/-/domelementtype-2.3.0.tgz
package-lock.json:196
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/domhandler/-/domhandler-5.0.3.tgz
package-lock.json:208
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/domutils/-/domutils-3.2.2.tgz
package-lock.json:223
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz
package-lock.json:237
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/encoding-sniffer/-/encoding-sniffer-0.2.1.tgz
package-lock.json:251
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/entities/-/entities-4.5.0.tgz
package-lock.json:264
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz
package-lock.json:276
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz
package-lock.json:285
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz
package-lock.json:294
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz
package-lock.json:306
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz
package-lock.json:321
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz
package-lock.json:341
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz
package-lock.json:357
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz
package-lock.json:366
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz
package-lock.json:390
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz
package-lock.json:403
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz
package-lock.json:415
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz
package-lock.json:427
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz
package-lock.json:442
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/htmlparser2/-/htmlparser2-10.1.0.tgz
package-lock.json:454
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/entities/-/entities-7.0.1.tgz
package-lock.json:473
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz
package-lock.json:485
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz
package-lock.json:498
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.6.3.tgz
package-lock.json:511
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz
package-lock.json:523
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz
package-lock.json:532
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz
package-lock.json:541
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz
package-lock.json:553
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/nth-check/-/nth-check-2.1.1.tgz
package-lock.json:559
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/parse5/-/parse5-7.3.0.tgz
package-lock.json:571
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/parse5-htmlparser2-tree-adapter/-/parse5-htmlparser2-tree-adapter-7.1.0.tgz
package-lock.json:583
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/parse5-parser-stream/-/parse5-parser-stream-7.1.2.tgz
package-lock.json:596
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/entities/-/entities-6.0.1.tgz
package-lock.json:608
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-2.1.0.tgz
package-lock.json:620
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz
package-lock.json:629
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/undici/-/undici-7.24.6.tgz
package-lock.json:635
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz
package-lock.json:644
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/whatwg-mimetype/-/whatwg-mimetype-4.0.0.tgz
package-lock.json:657
🔗
Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$
scripts/publisher/api_publish.js:71
🔗
Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/draft/add?access_token=$
scripts/publisher/api_publish.js:90
🔗
Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/draft/update?access_token=$
scripts/publisher/api_publish.js:127
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/
scripts/publisher/publish_browser.js:40
🔗
Medium External URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions
scripts/rewriter/rewrite.js:144
🔗
Medium External URL 外部 URL
https://search.brave.com/search
scripts/search/multi_source_search.js:122
🔗
Medium External URL 外部 URL
https://hn.algolia.com/api/v1/search?query=$
scripts/search/multi_source_search.js:277
🔗
Medium External URL 外部 URL
https://news.ycombinator.com/item?id=$
scripts/search/multi_source_search.js:283
🔗
Medium External URL 外部 URL
http://export.arxiv.org/api/query?search_query=all:$
scripts/search/multi_source_search.js:351

File Tree

18 files · 178.8 KB · 5492 lines
JavaScript 12f · 4419L JSON 4f · 838L Markdown 2f · 235L
├─ 📁 scripts
│ ├─ 📁 extractor
│ │ └─ 📜 multi_site_bridge.js JavaScript 95L · 2.8 KB
│ ├─ 📁 image
│ │ └─ 📜 generate_cover.js JavaScript 263L · 7.1 KB
│ ├─ 📁 lib
│ │ ├─ 📝 .agent.memory.md Markdown 21L · 1003 B
│ │ └─ 📜 openclaw_env.js JavaScript 143L · 3.3 KB
│ ├─ 📁 publisher
│ │ ├─ 📜 api_publish.js JavaScript 214L · 6.4 KB
│ │ ├─ 📜 publish_browser.js JavaScript 260L · 7.0 KB
│ │ └─ 📜 publish_wenyan.js JavaScript 245L · 7.0 KB
│ ├─ 📁 rewriter
│ │ └─ 📜 rewrite.js JavaScript 402L · 12.1 KB
│ ├─ 📁 search
│ │ ├─ 📜 merge_articles.js JavaScript 179L · 5.1 KB
│ │ ├─ 📜 multi_source_search.js JavaScript 543L · 19.1 KB
│ │ └─ 📋 search_sources.json JSON 140L · 6.2 KB
│ ├─ 📜 auto-optimize.js JavaScript 119L · 3.5 KB
│ ├─ 📜 main.js JavaScript 1174L · 44.4 KB
│ └─ 📜 smart-optimize.js JavaScript 782L · 20.2 KB
├─ 📋 package-lock.json JSON 665L · 23.4 KB
├─ 📋 package.json JSON 20L · 622 B
├─ 📋 skill-config.json JSON 13L · 583 B
└─ 📝 SKILL.md Markdown 214L · 9.0 KB

Dependencies 7 items

PackageVersionSourceKnown VulnsNotes
axios ^1.6.0 npm No Version range not pinned — minor version could introduce breaking changes
cheerio ^1.2.0 npm No Version range not pinned
commander ^11.0.0 npm No Version range not pinned
http-proxy-agent ^7.0.2 npm No Version range not pinned
https-proxy-agent ^7.0.6 npm No Version range not pinned
requests * pip No No version constraint — referenced in SKILL.md for multi-site-extractor but installed separately
beautifulsoup4 * pip No No version constraint

Security Positives

✓ No child_process exec/spawn/fork/eval found — execSync only for documented Python tooling
✓ No base64/atob/decodeURIComponent obfuscation
✓ No .ssh, .aws, or other credential file path access
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or steganography
✓ All network destinations are declared and legitimate services
✓ Credential reading is limited to declared env vars (WECHAT_*, DASHSCOPE_*, OPENAI_*) used only for intended service calls
✓ Environment variable loading follows dotenv 'do-not-overwrite' convention — existing shell variables are not clobbered
✓ No data exfiltration or unauthorized outbound connections
✓ Complete SKILL.md documentation covering all major features and dependencies
✓ Dependencies use pinned versions in package-lock.json