Uni App Wechat Cicd

This skill appears to implement a real uni‑app → WeChat CI/CD workflow, but the registry metadata fails to declare the runtime requirements (node/npm and the CI secrets). Before installing or enabling it: - Treat WEAPP_PRIVATE_KEY and WEAPP_APPID as sensitive secrets. Do not put private keys into repo history; store them in CI secret storage. - Confirm the skill's metadata is updated to declare required env vars and binaries (NODE/npm, WEAPP_APPID, WEAPP_PRIVATE_KEY or WEAPP_PRIVATE_KEY_PATH, VERSION). The current metadata omission is suspicious (may be an oversight, but it hides what the skill actually needs). - Review scripts/build-uni.js and scripts/ci-publish.sh yourself: they write the private key from an env var to disk (keys/private.key by default). Ensure your CI runner is trusted, permissions are tightened (chmod), and artifacts containing keys are not retained or published. - In CI (GitHub Actions/GitLab) ensure secrets are masked and the key-writing step cannot leak via logs. Avoid echoing secrets to logs. - If you plan to run locally, run the scripts in an isolated environment and verify the private key path before execution. If the author cannot or will not update the skill metadata to list required env vars and runtime dependencies, consider this a red flag and proceed only after manual code review and controlled testing.