Wechat Mp Publisher 1.0.0
v1.0.1Publish articles to WeChat Official Accounts via API using configured AppID, AppSecret, and IP whitelist with access token management.
⭐ 2· 449·4 current·4 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (WeChat Official Account publisher) matches the contained code: index.js calls api.weixin.qq.com and implements token, draft, and publish flows. However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and index.js clearly require WECHAT_APPID and WECHAT_APPSECRET. This mismatch between what the skill claims to require and what it actually needs is an incoherence that should be addressed.
Instruction Scope
SKILL.md gives concrete instructions to create a .env with WECHAT_APPID/WECHAT_APPSECRET, run npm install, and run node index.js token|publish. The runtime instructions and code stay within the expected scope (they read local files, convert markdown to HTML, upload images, and call official WeChat endpoints). Note: the README also instructs creating a directory under the user's .openclaw skills path and saving secrets in .env — the guidance to keep secrets out of repos is appropriate.
Install Mechanism
No custom install spec in the registry; it's instruction-only. Dependencies are standard npm packages (axios, dotenv, form-data) referenced in package.json/package-lock.json from the npm registry. No downloads from arbitrary URLs or extract-from-remote archives are present in the bundle.
Credentials
The code requires sensitive credentials (WECHAT_APPID and WECHAT_APPSECRET) and reads a local .env, but the skill metadata does not declare any required env vars or a primary credential. That omission reduces transparency and could lead users to unknowingly provide secrets. Aside from those two secrets, no other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not attempt to change other skills' configurations. It reads/writes files only in its own directory (e.g., output.html, reading article files, optionally uploading provided cover images). Autonomous invocation is allowed (the platform default) but is not combined here with other high-risk traits.
What to consider before installing
This package appears to implement exactly what it claims (WeChat article publish) and contains no obvious exfiltration or strange remote endpoints — but the registry metadata fails to declare the required credentials. Before installing, verify the skill's source/owner (it's listed as 'unknown' / an opaque owner ID), and do the following: 1) Inspect index.js yourself (it’s included) to confirm there are no hidden network calls — the current code only calls WeChat APIs. 2) Only provide WECHAT_APPID and WECHAT_APPSECRET in a local .env and never commit that file to a repo. 3) Consider running the skill in an isolated environment (container or VM) and audit npm dependencies (npm audit) before npm install. 4) Ask the publisher to correct the registry metadata to declare the required env vars and primary credential so the skill listing matches its actual needs. If you cannot confirm the publisher identity, treat the package as untrusted and avoid providing live AppSecret values until you validate it.Like a lobster shell, security has layers — review code before you run it.
latest
微信公众号发布技能 (wechat-mp-publisher)
通过微信公众平台 API 发布文章到微信公众号。
前置条件
- 已注册微信公众号(订阅号或服务号)
- 已获取 AppID 和 AppSecret
- 公众号已认证(服务号需要认证)
环境变量
在 .env 文件中配置:
WECHAT_APPID=你的 appid
WECHAT_APPSECRET=你的 appsecret
使用方法
发布文章
node index.js publish --title "标题" --content "内容" --author "作者"
获取 access_token
node index.js token
API 限制
- access_token 有效期 2 小时
- 每天发布次数有限制(订阅号 1 次/天,服务号 4 次/月)
- 需要服务器 IP 白名单
注意事项
- 首次使用需要在微信公众平台配置 IP 白名单
- 建议将技能部署在固定 IP 的服务器上
- AppSecret 需要保密,不要提交到代码库
安装步骤
- 安装依赖:
npm install - 复制配置:
touch .env - 编辑
.env填入你的 WECHAT_APPID 和 WECHAT_APPSECRET - 微信公众平台配置 IP 白名单
Comments
Loading comments...