weixin-web-fetch Security Report — Trusted | ClawSafe

5 /100

weixin-web-fetch

Fetch complete content from WeChat public account articles (mp.weixin.qq.com)

Legitimate WeChat article fetcher with no malicious behavior; the flagged 'hardcoded IP' is a false positive (Chrome version string in User-Agent).

Skill Nameweixin-web-fetch

Duration34.7s

Enginepi

✓

Safe to install

Approve for use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Info	Pre-scan false positive: hardcoded IP The pre-scan flagged '134.0.0.0' at line 17 as a hardcoded IP. This is actually the Chromium version number embedded in the User-Agent string: 'Chrome/134.0.0.0'. No IP connection is made to this value. `USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"` → No action needed. This is a browser version identifier, not an IOC.	`scripts/weixin_fetch.py:17`
Info	Undeclared browser header simulation The script simulates a full browser request with sec-ch-ua, sec-fetch, and other security headers to bypass WeChat anti-bot checks. This is implicit network/browser READ behavior not explicitly documented. `"sec-ch-ua": '"Chromium";v="134", "Not:A-Brand";v="24"', ...` → Consider adding a note in SKILL.md that the tool simulates browser headers. This is benign but worth documenting.	`scripts/weixin_fetch.py:97`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in weixin_fetch.py
Network	`READ`	`READ`	✓ Aligned	scripts/weixin_fetch.py:130 — httpx.Client GET to WeChat URL
Shell	`NONE`	`NONE`	—	No subprocess or shell invocation found
Environment	`NONE`	`NONE`	—	No os.environ access in code
Skill Invoke	`NONE`	`NONE`	—	No nested skill calls
Clipboard	`NONE`	`NONE`	—	No clipboard operations
Browser	`NONE`	`READ`	✓ Aligned	Simulates browser headers (User-Agent, sec-ch-ua, Accept-Language) to bypass WeC…
Database	`NONE`	`NONE`	—	No database access

1 High 2 findings

📡

High IP Address 硬编码 IP 地址

134.0.0.0

scripts/weixin_fetch.py:17

🔗

Medium External URL 外部 URL

https://mp.weixin.qq.com/s/2o2s3owEDkZziyD0UCeq2w

SKILL.md:37

File Tree

3 files · 8.8 KB · 249 lines

Python 1f · 208L Markdown 1f · 38L Text 1f · 3L

├─ ▾ 📁 scripts

│ └─ 🐍 weixin_fetch.py Python 208L · 7.7 KB

├─ 📄 requirements.txt Text 3L · 50 B

└─ 📝 SKILL.md Markdown 38L · 1.1 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`>=0.20.0`	pip	No	Version lower bound specified, no known CVEs at this version range
`readability-lxml`	`>=0.8.1`	pip	No	Content extraction library, no known CVEs
`lxml`	`>=4.0.0`	pip	No	Well-maintained XML/HTML parser, no critical CVEs at this version range

Security Positives

✓ All network requests are made only to the user-provided WeChat URL

✓ No credential harvesting, environment variable enumeration, or secrets access

✓ No shell execution, subprocess, or dynamic code evaluation

✓ URL validation prevents arbitrary host access (only http/https schemes accepted)

✓ Standard, well-known dependencies (httpx, readability-lxml) with version constraints

✓ Clear, focused single-purpose design with no mission creep

✓ No data exfiltration or external telemetry

✓ Content truncation prevents resource exhaustion

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives