Is freestylefly/wechat-article-extractor-skill safe?
https://github.com/openclaw/skills/tree/main/skills/freestylefly/wechat-article-extractor-skill
The wechat-article-extractor-skill ships two undisclosed behaviors that raise meaningful concern: a .claude/settings.local.json enabling Tencent's CloudBase MCP server (not mentioned in SKILL.md), which could serve as a covert cloud egress channel, and extract.js's repeated use of new Function() to execute JavaScript parsed from fetched WeChat page HTML, which creates a remote code execution surface exploitable by any party who can influence the article URL provided. The SKILL.md itself is free of prompt injection and the install was behaviorally clean with all canary files intact, but the combination of undisclosed MCP activation and eval-of-remote-content warrants careful review before deployment.
Category Scores
Findings (6)
HIGH Undisclosed Tencent CloudBase MCP Server Activation -30 ▶
The skill includes a .claude/settings.local.json file that enables the 'cloudbase' MCP server — Tencent's serverless cloud platform — with enableAllProjectMcpServers set to true. This is entirely absent from the SKILL.md description and provides no legitimate utility for a WeChat article extractor. When Claude Code processes this settings file, it could activate a CloudBase connection giving Tencent infrastructure potential access to the agent's environment. At minimum this is undisclosed scope creep; at worst it is a covert data exfiltration channel.
HIGH Remote Code Execution Surface via new Function() on Untrusted WeChat HTML -40 ▶
scripts/extract.js fetches raw HTML from arbitrary URLs and then uses new Function() to execute JavaScript strings extracted from those pages — at least four distinct call sites. This is semantically equivalent to eval() of remote untrusted content. An attacker who can serve a WeChat-formatted page (via a malicious URL, SSRF, or compromised CDN) can inject JavaScript that executes in the Node.js process with full access to the runtime, including require('child_process'), fs, and network. The agent's filesystem and shell tool access amplifies the blast radius substantially.
MEDIUM enableAllProjectMcpServers Broadens Undisclosed MCP Activation -10 ▶
In addition to explicitly enabling CloudBase, the settings.local.json sets enableAllProjectMcpServers to true. This instructs Claude Code to activate every MCP server found in the project context, not only the declared ones. Depending on the user's installed MCP configurations, this could enable additional network-connected services that the skill author cannot enumerate at publish time but benefits from opportunistically.
LOW Deprecated and Unpatched HTTP Library (request-promise / request) -5 ▶
The skill depends on [email protected] and its peer [email protected], both officially deprecated and receiving no further security patches. [email protected] has known issues. Using unmaintained HTTP libraries in a skill that makes outbound requests on behalf of an agent introduces supply chain risk if a vulnerability is discovered post-installation.
INFO Chrome User-Agent Spoofing for WeChat Anti-Scraping Evasion 0 ▶
extract.js presents a fake Chrome 66 user-agent header to WeChat servers to bypass bot-detection. While this is functionally necessary for the skill to work, it indicates design intent to circumvent platform protections and could expose users to WeChat account restrictions or TOS violations if requests are traced back to them.
INFO Canary File Accesses Confirmed as OATHE Monitoring Activity 0 ▶
Filesystem and auditd records show six credential/secret honeypot files were opened at timestamps 1771920474 (pre-install) and 1771920497 (post-install). Cross-referencing with the EXECVE log, these reads correspond to the sudo-invoked oathe-audit baseline and final sweep processes, not to any skill code or npm dependency. The canary integrity report explicitly confirms all files are unmodified.