Wechat Publisher
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do its advertised WeChat draft-publishing job, but it needs WeChat account credentials and may install an external npm CLI, so users should run it intentionally.
Before installing or using this skill, confirm you trust the wenyan-cli dependency, protect your WECHAT_APP_SECRET, and review the Markdown file plus all referenced images because publishing will upload them to WeChat and create a draft in the account backend.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to those credentials and the script could create drafts and upload media in the linked WeChat Official Account.
The script reads WeChat AppID/AppSecret from a local workspace file when environment variables are not set; these credentials are expected for the service but grant WeChat account API authority.
TOOLS_MD="$HOME/.openclaw/workspace/TOOLS.md" ... export WECHAT_APP_SECRET=$(grep "export WECHAT_APP_SECRET=" "$TOOLS_MD" ...)
Keep the AppSecret out of shared repositories, restrict access to TOOLS.md, rotate credentials if exposed, and consider declaring these credential requirements in the skill metadata.
A selected Markdown file and its referenced images may be uploaded to WeChat, producing a draft visible in the public account backend.
The core workflow sends article content and referenced images to WeChat and creates a draft. This matches the skill purpose, but it is still an account-mutating external action.
✅ 自动上传图片到微信图床 ... ✅ 一键推送到草稿箱
Review the Markdown file and referenced local images before publishing, and only invoke the skill for content you intend to place in the WeChat draft system.
First use may modify the local global npm environment and run code obtained from the npm registry.
If wenyan is missing, the script installs an external npm package globally. This is disclosed and central to the skill, but the package version is not pinned in the artifacts.
npm install -g @wenyan-md/cli
Install or verify @wenyan-md/cli yourself from a trusted source, consider pinning a known-good version, and avoid running the install with elevated privileges unless necessary.