Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Publisher Skill
v2.0.2Automatically collects 15 AI news items, generates HTML content, and publishes drafts to WeChat official accounts with customizable templates and scheduling.
⭐ 0· 102·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (collect news, generate HTML, publish drafts to WeChat) matches the included publish.py which fetches a WeChat access token and prepares content for upload. However registry metadata declared no required env vars/primary credential while the skill obviously needs a WeChat AppID and AppSecret (present in config/default.json and referenced throughout docs and code). This metadata omission is inconsistent and worth flagging.
Instruction Scope
SKILL.md and the docs instruct the agent/user to supply AppID/AppSecret and to run network calls (ip-api.com, api.weixin.qq.com) which are needed for operation. But the docs explicitly recommend hard-coding AppID/AppSecret into scripts for scheduled runs (Troubleshooting §6, '使用硬编码密钥(推荐)'), reference reading local caches (D:\news) and display concrete example secret values in install-guide, which expands scope beyond minimal needs and encourages insecure handling of credentials. The instructions also ask users to contact authors/admins for activation/payment; that is operationally separate from the publishing function.
Install Mechanism
There is no remote download/extract install spec in the registry (install occurs via normal OpenClaw skill install). That lowers supply-chain risk. The package does include Python code (publish.py) which will be installed to disk and executed by the agent when invoked — review the code before running.
Credentials
The skill requires sensitive credentials (WeChat AppID/AppSecret) which are appropriate for the stated purpose. But the registry declared no required env vars and no primary credential, while the code reads WECHAT_APP_SECRET from environment or config. The docs include example AppID/AppSecret values and recommend storing secrets in plaintext or embedding them into scripts — practices that are disproportionate and insecure. The skill also makes network requests to third-party endpoints (ip-api.com for IP detection) which leaks the host's external IP (though used for whitelist setup).
Persistence & Privilege
The skill does not request 'always: true' or system-wide privileges. It writes token-cache, license, usage, and status files into its own memory directory under the skill; that is expected for operation. It does not appear to modify other skills or global agent settings.
Scan Findings in Context
[pre-scan-injection-signals] expected: Automated pre-scan reported no injection signals. Manual review still needed because the package includes executable Python code that performs network requests and writes caches, and the docs encourage insecure credential handling.
What to consider before installing
This skill appears to implement a WeChat-publishing workflow, but there are several red flags you should consider before installing: 1) Metadata omission: the registry lists no required credentials while the skill needs AppID/AppSecret — confirm where and how you'll supply these securely. 2) Insecure instructions: the docs explicitly recommend hard-coding AppSecret into scripts and even show example secrets; never hard-code production credentials. 3) Review code: inspect scripts/publish.py yourself (or in a sandbox) to verify it only calls api.weixin.qq.com and legitimate sources; check token-cache and license behavior. 4) Sandbox network: run the skill in an isolated environment first to observe outbound requests (ip-api.com, WeChat API) and ensure no unexpected hosts are contacted. 5) Secrets handling: prefer storing credentials in a secure config store or environment variables with restricted file permissions; rotate any credentials used for testing. 6) Payment/activation: the activation/purchase flow is manual (contacting admin), so avoid providing personal payment info before you verify the author and repository. If you are not comfortable reviewing the code, treat this skill as untrusted and avoid installing it on a production machine or with high-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97244evnm6hzxmsdaq91qee1h846m6m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.