weixin-web-fetch 安全扫描报告 — 可信 | ClawSafe

5 /100

weixin-web-fetch

Fetch complete content from WeChat public account articles (mp.weixin.qq.com)

Legitimate WeChat article fetcher with no malicious behavior; the flagged 'hardcoded IP' is a false positive (Chrome version string in User-Agent).

技能名称weixin-web-fetch

分析耗时34.7s

引擎pi

✓

可以安装

Approve for use. No security concerns identified.

安全发现 2 项

严重性	安全发现	位置
提示	Pre-scan false positive: hardcoded IP The pre-scan flagged '134.0.0.0' at line 17 as a hardcoded IP. This is actually the Chromium version number embedded in the User-Agent string: 'Chrome/134.0.0.0'. No IP connection is made to this value. `USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"` → No action needed. This is a browser version identifier, not an IOC.	`scripts/weixin_fetch.py:17`
提示	Undeclared browser header simulation The script simulates a full browser request with sec-ch-ua, sec-fetch, and other security headers to bypass WeChat anti-bot checks. This is implicit network/browser READ behavior not explicitly documented. `"sec-ch-ua": '"Chromium";v="134", "Not:A-Brand";v="24"', ...` → Consider adding a note in SKILL.md that the tool simulates browser headers. This is benign but worth documenting.	`scripts/weixin_fetch.py:97`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in weixin_fetch.py
网络访问	`READ`	`READ`	✓ 一致	scripts/weixin_fetch.py:130 — httpx.Client GET to WeChat URL
命令执行	`NONE`	`NONE`	—	No subprocess or shell invocation found
环境变量	`NONE`	`NONE`	—	No os.environ access in code
技能调用	`NONE`	`NONE`	—	No nested skill calls
剪贴板	`NONE`	`NONE`	—	No clipboard operations
浏览器	`NONE`	`READ`	✓ 一致	Simulates browser headers (User-Agent, sec-ch-ua, Accept-Language) to bypass WeC…
数据库	`NONE`	`NONE`	—	No database access

1 高危 2 项发现

📡

高危 IP 地址硬编码 IP 地址

134.0.0.0

scripts/weixin_fetch.py:17

🔗

中危外部 URL 外部 URL

https://mp.weixin.qq.com/s/2o2s3owEDkZziyD0UCeq2w

SKILL.md:37

3 文件 · 8.8 KB · 249 行

Python 1f · 208L Markdown 1f · 38L Text 1f · 3L

├─ ▾ 📁 scripts

│ └─ 🐍 weixin_fetch.py Python 208L · 7.7 KB

├─ 📄 requirements.txt Text 3L · 50 B

└─ 📝 SKILL.md Markdown 38L · 1.1 KB

包名	版本	来源	已知漏洞	备注
`httpx`	`>=0.20.0`	pip	否	Version lower bound specified, no known CVEs at this version range
`readability-lxml`	`>=0.8.1`	pip	否	Content extraction library, no known CVEs
`lxml`	`>=4.0.0`	pip	否	Well-maintained XML/HTML parser, no critical CVEs at this version range

✓ All network requests are made only to the user-provided WeChat URL

✓ No credential harvesting, environment variable enumeration, or secrets access

✓ No shell execution, subprocess, or dynamic code evaluation

✓ URL validation prevents arbitrary host access (only http/https schemes accepted)

✓ Standard, well-known dependencies (httpx, readability-lxml) with version constraints

✓ Clear, focused single-purpose design with no mission creep

✓ No data exfiltration or external telemetry

✓ Content truncation prevents resource exhaustion