ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

微信公众号发布技能

v1.1.0

自动收集15条AI新闻,生成HTML内容,并发布到微信公众号草稿箱,支持多模板和自定义发布时间。

0· 85·0 current·0 all-time
by@403914291

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 403914291/ly-wechat-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "微信公众号发布技能" (403914291/ly-wechat-publisher) from ClawHub.
Skill page: https://clawhub.ai/403914291/ly-wechat-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ly-wechat-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install ly-wechat-publisher
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (collect AI news, build HTML, publish to WeChat draft) is consistent with the included publish.py which calls the WeChat API. However the registry metadata declares no required credentials or env vars while the skill clearly needs and documents AppID/AppSecret — metadata and the package are not aligned.
!
Instruction Scope
SKILL.md and docs reference auxiliary scripts (scripts/install.sh, scripts/activate.py) and a different file layout than what is present in the package. The runtime script (publish.py) reads AppSecret from either a configuration file or the WECHAT_APP_SECRET environment variable (the env var is used even though the registry metadata lists none). The skill writes local caches, logs, token cache, license and usage files under its memory directory. No evidence in the included code of exfiltration to unexpected external endpoints beyond api.weixin.qq.com, but the missing referenced scripts mean behavior could differ if those files are expected at runtime.
Install Mechanism
This is an instruction-only skill/package with an included Python script; there is no remote download or installer specified in the registry. The publish.py depends on the requests package and will exit if it's missing (asks user to pip install requests). No high-risk install URLs or archive extraction are present.
!
Credentials
The skill legitimately needs WeChat credentials (AppID/AppSecret) to function. However the registry metadata does not declare these requirements (no required env vars or primary credential), while the code checks an environment variable WECHAT_APP_SECRET and the docs instruct storing AppID/AppSecret in a config file under the user's skills directory. The undeclared use of an environment variable and omission from metadata is a mismatch that reduces transparency and could lead to accidental credential exposure.
Persistence & Privilege
The skill does not request persistent platform-wide privileges (always: false). It writes its own log, token cache, usage and license files inside its script_dir/memory directory — expected for a publishing tool. It does not appear to modify other skills or system-wide configuration based on the provided files.
What to consider before installing
This skill appears to implement a legitimate WeChat publishing workflow, but there are multiple red flags you should resolve before installing or entering credentials: - Do not provide your AppSecret or AppID until you verify the source. The package metadata does not declare required credentials, yet the code expects them (and reads WECHAT_APP_SECRET if set). - The documentation references additional scripts (install.sh, activate.py) that are not present in the package. Ask the maintainer for the complete source or inspect any missing files before use — missing activation/installation scripts could hide network calls. - Inspect publish.py fully (including the truncated/remaining code) or run it in a sandbox to see whether it contacts any servers other than api.weixin.qq.com (activation/licensing could contact external hosts). - Store AppSecret securely (prefer config file with strict permissions or a secrets manager). Avoid pasting secrets into third-party GUIs or unverified installers. - If you intend to buy/activate, verify payment/activation flow independently (the SKILL.md lists contacts and an external GitHub account). Do not authorize payments or send credentials until you confirm the provider's identity and hosting of activation logic. If you want, I can: - Inspect the rest of publish.py (the file was truncated) for any network calls or telemetry code if you provide the remaining lines, - Suggest a safe test plan (run in an isolated VM, monitor network traffic) or show how to redact AppSecret when sharing diagnostics.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mfgreb6vvvpwepgqtkmdc983qpes
85downloads
0stars
1versions
Updated 1mo ago
v1.1.0
MIT-0
@403914291
latest
Download

微信公众号发布技能

技能名称: wechat-publisher
版本: V1.1.0
描述: 自动发布 AI 新闻到微信公众号草稿箱
作者: 小蛋蛋

📋 功能特性

  • ✅ 自动收集 15 条 AI 新闻
  • ✅ 自动生成 HTML 格式内容
  • ✅ 自动发布到公众号草稿箱
  • ✅ 支持 5 套专业模板
  • ✅ 50 次免费试用 + 8.8 元永久买断
  • ✅ 支持自定义发布时间

🔧 配置项

配置项说明默认值是否必填
app_id公众号 AppID-✅ 是
app_secret公众号 AppSecret-✅ 是
schedule发布时间06:00❌ 否
template发布模板v5-simple❌ 否
news_count新闻条数15❌ 否
timezone时区Asia/Shanghai❌ 否

📖 使用说明

安装技能

openclaw skill install wechat-publisher

配置技能

openclaw skill config wechat-publisher

设置发布时间

openclaw schedule wechat-publisher 07:00

查看状态

openclaw skill status wechat-publisher

💰 授权说明

  • 试用版: 50 次免费使用(约 1 个月)
  • 专业版: 8.8 元永久买断
  • 购买命令: openclaw skill buy wechat-publisher

📊 试用次数说明

50 次免费试用包含:

  • ✅ 测试所有 5 套模板
  • ✅ 配置调试和学习成本
  • ✅ 约 1 个月的实际使用
  • ✅ 充分体验自动发布功能

试用次数用完后:

  • 运行 openclaw skill buy wechat-publisher 购买专业版
  • 8.8 元永久买断,无限次使用

📞 支付联系方式

支付流程:

  1. 运行购买命令后,系统生成订单
  2. 用户扫码支付(微信/支付宝)
  3. 支付成功后,通过以下方式联系管理员获取激活码:
联系方式说明
微信添加管理员微信:lylovejava(备注:技能购买)
公众号关注"小蛋蛋助手"公众号,发送订单号
邮箱support@wechat-publisher.ai(24 小时内回复)
GitHubhttps://github.com/403914291 提交 Issue

自动激活(推荐):

  • 支付成功后,系统自动发送激活码到用户邮箱
  • 或在购买界面直接显示激活码

📁 文件结构

wechat-publisher-skill/
├── SKILL.md              # 技能定义文件
├── publish.py            # 核心发布脚本
├── scripts/
│   ├── install.sh        # 安装脚本
│   └── activate.py       # 激活脚本
├── templates/
│   ├── v5-simple.html    # V5 简洁模板
│   └── ...               # 其他模板
├── config/
│   └── default.json      # 默认配置
└── docs/
    └── USER_GUIDE.md     # 用户手册

创建日期:2026-03-26
最后更新:2026-03-26

Comments

Loading comments...