bozo-wechat-publisher

This skill appears to implement the promised WeChat publishing flow, but there are a few mismatches you should consider before installing: - The registry metadata lists no required env vars, yet SKILL.md and the scripts require WECHAT_APP_ID and WECHAT_APP_SECRET. Decide whether you are comfortable providing those credentials to scripts you run locally. - The scripts try to load credentials from ~/.openclaw/workspace/TOOLS.md. Inspect that file yourself first — if it contains other secrets, avoid letting scripts read it. Prefer explicitly exporting only the two WECHAT_* env vars in a dedicated file you control, or set them in your shell session before running. - The install instructions advise creating a wrapper in ~/.local/bin and appending to your shell rc. Those are user-level changes; review and run them manually rather than blindly executing the provided snippets. - The scripts upload images and send HTML content to api.weixin.qq.com (expected). If you keep sensitive content in your Markdown or assets, be aware they will be transmitted to WeChat. - If you want to reduce risk: run the publish scripts in an isolated environment (container or dedicated account), or audit/modify the scripts to remove the TOOLS.md lookup and to print the API payload for review before sending. If you want, I can: (a) point out the exact lines in scripts that read TOOLS.md and network endpoints, (b) produce a minimal patched version that avoids reading TOOLS.md, or (c) generate a checklist to run this safely in a container.