wemp-ops 安全扫描报告 — 可信 | ClawSafe

5 /100

wemp-ops

微信公众号全流程运营技能：选题→采集→写作→排版→发布→数据分析→评论管理

Legitimate WeChat Official Account content management skill with no malicious behavior detected. The pre-scan flag for hardcoded IP is a false positive — 120.0.0.0 is a Chrome version number in the User-Agent string, not an IP address.

技能名称wemp-ops

分析耗时55.1s

引擎pi

✓

可以安装

Skill is safe to use. Optionally move WeChat credentials from config/default.json to environment variables for easier credential rotation.

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md documents node/publisher.mjs, python3/markdown_to_html.py, node/setup.m…
网络访问	`READ`	`READ`	✓ 一致	All network requests are to legitimate services: api.weixin.qq.com (WeChat API),…
文件系统	`READ`	`WRITE`	✓ 一致	SKILL.md documents writing drafts (draft-v1.md), saving plans (illustration-plan…
环境变量	`NONE`	`NONE`	—	No os.environ iteration, no credential harvesting from environment
技能调用	`NONE`	`NONE`	—	Skill may reference xiaohongshu-ops for cross-platform distribution but this is …
浏览器	`NONE`	`READ`	✓ 一致	SKILL.md documents browser screenshot for cover image (Method C) and product scr…

1 高危 43 项发现

📡

高危 IP 地址硬编码 IP 地址

120.0.0.0

scripts/fetch_news.py:11

🔗

中危外部 URL 外部 URL

https://simonwillison.net/2025/...

references/weixin-constraints.md:71

🔗

中危外部 URL 外部 URL

https://docs.anthropic.com/en/docs/...

references/weixin-constraints.md:72

🔗

中危外部 URL 外部 URL

https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing

references/writing-techniques.md:161

🔗

中危外部 URL 外部 URL

https://hacker-news.firebaseio.com/v0/topstories.json

scripts/fetch_news.py:51

🔗

中危外部 URL 外部 URL

https://hacker-news.firebaseio.com/v0/item/

scripts/fetch_news.py:55

🔗

中危外部 URL 外部 URL

https://news.ycombinator.com/item?id=

scripts/fetch_news.py:57

🔗

中危外部 URL 外部 URL

https://www.v2ex.com/api/topics/hot.json

scripts/fetch_news.py:70

🔗

中危外部 URL 外部 URL

https://s.weibo.com/top/summary?cate=realtimehot

scripts/fetch_news.py:76

🔗

中危外部 URL 外部 URL

https://s.weibo.com/top/summary

scripts/fetch_news.py:76

🔗

中危外部 URL 外部 URL

https://s.weibo.com

scripts/fetch_news.py:82

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/api/v3/feed/topstory/hot-list-web?limit=50&desktop=true

scripts/fetch_news.py:86

🔗

中危外部 URL 外部 URL

https://gateway.36kr.com/api/mis/nav/newsflash/flow

scripts/fetch_news.py:95

🔗

中危外部 URL 外部 URL

https://36kr.com/newsflashes/

scripts/fetch_news.py:100

🔗

中危外部 URL 外部 URL

https://top.baidu.com/board?tab=realtime

scripts/fetch_news.py:104

🔗

中危外部 URL 外部 URL

https://www.baidu.com/s?wd=

scripts/fetch_news.py:108

🔗

中危外部 URL 外部 URL

https://api.juejin.cn/recommend_api/v1/article/recommend_all_feed

scripts/fetch_news.py:112

🔗

中危外部 URL 外部 URL

https://juejin.cn/post/

scripts/fetch_news.py:118

🔗

中危外部 URL 外部 URL

https://sspai.com/api/v1/article/index/page/get?limit=20&offset=0&created_at=0

scripts/fetch_news.py:122

🔗

中危外部 URL 外部 URL

https://sspai.com/post/

scripts/fetch_news.py:124

🔗

中危外部 URL 外部 URL

https://www.ithome.com/

scripts/fetch_news.py:128

🔗

中危外部 URL 外部 URL

https://www\.ithome\.com/\d+/\d+/\d+/\d+\.htm

scripts/fetch_news.py:131

🔗

中危外部 URL 外部 URL

https://www.producthunt.com/

scripts/fetch_news.py:136

🔗

中危外部 URL 外部 URL

https://www.producthunt.com/posts/

scripts/fetch_news.py:140

🔗

中危外部 URL 外部 URL

https://api.bilibili.com/x/web-interface/ranking/v2?rid=0&type=all

scripts/fetch_news.py:144

🔗

中危外部 URL 外部 URL

https://www.bilibili.com/video/

scripts/fetch_news.py:146

🔗

中危外部 URL 外部 URL

https://www.douyin.com/aweme/v1/web/hot/search/list/

scripts/fetch_news.py:150

🔗

中危外部 URL 外部 URL

https://www.douyin.com/

scripts/fetch_news.py:150

🔗

中危外部 URL 外部 URL

https://www.douyin.com/search/

scripts/fetch_news.py:154

🔗

中危外部 URL 外部 URL

https://www.toutiao.com/hot-event/hot-board/?origin=toutiao_pc

scripts/fetch_news.py:158

🔗

中危外部 URL 外部 URL

https://r.inews.qq.com/gw/event/hot_ranking_list?page_size=50

scripts/fetch_news.py:164

🔗

中危外部 URL 外部 URL

https://cache.thepaper.cn/contentapi/wwwIndex/rightSidebar

scripts/fetch_news.py:170

🔗

中危外部 URL 外部 URL

https://www.thepaper.cn/newsDetail_forward_

scripts/fetch_news.py:172

🔗

中危外部 URL 外部 URL

https://bbs.hupu.com/all-gambia

scripts/fetch_news.py:176

🔗

中危外部 URL 外部 URL

https://bbs.hupu.com

scripts/fetch_news.py:180

🔗

中危外部 URL 外部 URL

https://api-one-wscn.awtmt.com/apiv1/content/lives?channel=global-channel&limit=30

scripts/fetch_news.py:184

🔗

中危外部 URL 外部 URL

https://wallstreetcn.com/live/

scripts/fetch_news.py:186

🔗

中危外部 URL 外部 URL

https://www.cls.cn/nodeapi/updateTelegraphList?app=CailianpressWeb&os=web&rn=

scripts/fetch_news.py:190

🔗

中危外部 URL 外部 URL

https://www.cls.cn/detail/

scripts/fetch_news.py:195

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$

scripts/lib/utils.mjs:105

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com$

scripts/lib/utils.mjs:116

🔗

中危外部 URL 外部 URL

https://mp.weixin.qq.com/cgi-bin/showqrcode?ticket=$

scripts/lib/utils.mjs:389

🔗

中危外部 URL 外部 URL

https://www.python.org/downloads/

scripts/setup.mjs:30

目录结构

28 文件 · 170.4 KB · 4313 行

Markdown 13f · 2521L JavaScript 8f · 1111L Python 2f · 534L JSON 5f · 147L

├─ ▾ 📁 assets

│ └─ ▾ 📁 templates

│ ├─ 📋 business.json JSON 27L · 2.1 KB

│ ├─ 📋 minimal.json JSON 27L · 1.9 KB

│ └─ 📋 tech.json JSON 27L · 2.1 KB

├─ ▾ 📁 config

│ └─ 📋 default.json JSON 25L · 527 B

├─ ▾ 📁 evals

│ ├─ ▾ 📁 results

│ │ ├─ 📝 article-with-skill.md Markdown 34L · 1.8 KB

│ │ └─ 📝 article-without-skill.md Markdown 28L · 1.3 KB

│ └─ 📋 evals.json JSON 41L · 2.0 KB

├─ ▾ 📁 references

│ ├─ 📝 article-templates.md Markdown 131L · 3.2 KB

│ ├─ 📝 cover-image-guide.md Markdown 282L · 9.8 KB

│ ├─ 📝 illustration-prompts.md Markdown 692L · 25.3 KB

│ ├─ 📝 infographic-layouts.md Markdown 192L · 6.7 KB

│ ├─ 📝 style-guide.md Markdown 96L · 4.1 KB

│ ├─ 📝 weixin-constraints.md Markdown 92L · 2.6 KB

│ ├─ 📝 writing-sop.md Markdown 106L · 4.3 KB

│ └─ 📝 writing-techniques.md Markdown 381L · 17.6 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 lib

│ │ └─ 📜 utils.mjs JavaScript 415L · 16.8 KB

│ ├─ 📜 check_comments.mjs JavaScript 88L · 2.7 KB

│ ├─ 📜 daily_report.mjs JavaScript 103L · 4.3 KB

│ ├─ 🐍 fetch_news.py Python 253L · 12.4 KB

│ ├─ 🐍 markdown_to_html.py Python 281L · 11.2 KB

│ ├─ 📜 publisher.mjs JavaScript 194L · 6.3 KB

│ ├─ 📜 reply_comment.mjs JavaScript 53L · 1.6 KB

│ ├─ 📜 setup.mjs JavaScript 45L · 1.6 KB

│ ├─ 📜 smart_collect.mjs JavaScript 92L · 3.6 KB

│ └─ 📜 weekly_report.mjs JavaScript 121L · 4.8 KB

├─ 📝 persona.md Markdown 36L · 1.3 KB

├─ 📝 README.md Markdown 59L · 1.5 KB

└─ 📝 SKILL.md Markdown 392L · 16.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`fetch_news.py`	`stdlib only`	python3 stdlib	否	Uses only urllib, json, re, argparse — no pip dependencies
`markdown_to_html.py`	`stdlib only`	python3 stdlib	否	Uses only html, re, json, pathlib, subprocess — no pip dependencies

安全亮点

✓ Pure stdlib Python implementation — no third-party dependencies in fetch_news.py (no supply chain risk)

✓ All subprocess/shell execution is explicitly documented in SKILL.md with exact commands

✓ No base64 encoding, no obfuscation, no eval() patterns

✓ No credential exfiltration — WeChat appId/appSecret only used for internal api.weixin.qq.com API calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data exfiltration patterns

✓ No hidden instructions in HTML comments or documentation

✓ WeChat API integration follows standard OAuth2 client_credential flow

✓ Credentials scoped to WeChat Official Account management only