微信公众号发布工具
Security checks across malware telemetry and agentic risk
Overview
This WeChat publishing skill matches its stated purpose, but it handles high-impact account credentials and public posting with some under-disclosed persistence and safety gaps that users should review carefully.
Install only if you trust the code with your WeChat official-account credentials. Prefer draft mode, preview every article, avoid direct publishing unless you explicitly confirm it, store secrets outside the project when possible, and delete or rotate token caches/logs if you stop using the skill.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that cache file could potentially use the account token until it expires, including for publishing-related actions.
The skill caches a WeChat access token that can be used to act as the public account. File mode 600 helps, but the token is still stored in plaintext and this is not clearly surfaced in the main metadata.
"access_token": self._access_token ... with open(self.cache_file, 'w', encoding='utf-8') as f: json.dump(cache, f, ensure_ascii=False, indent=2) ... os.chmod(self.cache_file, 0o600)
Store tokens in an OS keychain or encrypted store, document the cache location, and provide a clear cleanup/rotation command.
A mistaken or premature invocation could send content to the public WeChat account audience rather than only saving a draft.
The skill exposes direct public/mass publishing capability. This is central to the skill, but the primary instructions do not explicitly require a draft preview or user confirmation before direct publication.
python publish.py --publish "文章标题" "文章内容" ... **WeChatAPI** ... `publish_all()` - 群发消息
Default to draft mode, require explicit user confirmation for `--publish`/mass-send actions, and show the final title/content/template before publishing.
Local logs may reveal information about unpublished drafts or uploaded media if another process or user can access them.
The included audit acknowledges that logs can retain WeChat media IDs, draft IDs, and image URLs. These persistent artifacts may expose account-related publishing data.
H-02: 日志文件可能泄露敏感信息 ... media_id 未完全脱敏 ... 草稿 ID 可能被利用 ... 图片 URL 暴露公众号信息
Reduce logged identifiers, rotate logs, make cleanup paths relative to the skill directory, and document where logs are stored.
Untrusted or copied article content could be transformed into unsafe HTML and propagated into a public publishing channel, even if WeChat later filters some content.
The audit reports that Markdown is converted to HTML without filtering dangerous tags before the content is sent into a publishing workflow.
Markdown 转 HTML 可能存在 XSS ... html = markdown.markdown(...) ... return html # ❌ 未过滤危险标签
Sanitize HTML with a strict allowlist before draft or publication, and preview the sanitized result before sending it to WeChat.
If enabled, scheduled publishing may run later without the user actively watching each post.
The guide documents an optional persistent scheduled publishing setup. It is user-directed and purpose-aligned, but it can continue running after setup.
创建定时任务(macOS) ... launchctl load ~/Library/LaunchAgents/com.wechat.publish.plist
Use scheduled mode only for reviewed content, document how to disable it, and require approval before any scheduled job performs direct publication.
Users need to install Python dependencies locally and should understand that this adds third-party code to the environment.
The skill requires local package installation even though registry metadata says there is no install spec. The provided requirements are version-pinned, so this is mainly an install-disclosure gap rather than evidence of malicious behavior.
pip install -r requirements.txt
Declare the install step and dependencies in metadata/install specs, keep versions pinned, and install in a virtual environment.
Installing users must provide secrets that let the tool access their WeChat publishing account and optional image services.
The skill requires WeChat account credentials and optional image-provider API keys, but registry metadata lists no required environment variables or primary credential. The credential need is purpose-aligned and disclosed in the documentation.
编辑 config.yaml 填入 AppID 和 AppSecret ... export DALL_E_API_KEY="sk-..."
Document all required and optional credentials in registry metadata, prefer environment variables or a secret manager, and avoid committing populated config files.