ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wechat Blog Write Publish

v0.1.0

基于用户提供的参考资料,自动创作并排版微信公众号文章,保存为 Markdown 并发布至公众号草稿箱。

0· 103·0 current·0 all-time
byCaiJichang@caijichang212
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (generate and publish WeChat articles) aligns with the instructions: create Markdown from references and call wenyan-cli to publish. The tasks and referenced tooling are consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to fetch web pages, read local files/PDFs, generate Markdown/mermaid, and run wenyan-cli commands to publish. Those actions are within the skill's scope, but they require access to local files and network resources and will use WeChat credentials for publishing.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md directs installing @wenyan-md/cli via npm (-g). Installing a global npm package is a normal but non-trivial action — verify the package source (npm/GitHub) before installation. No suspicious download URLs are present in the skill content.
Credentials
Publishing requires WeChat AppID and AppSecret and IP whitelist configuration; these sensitive credentials are necessary and proportional to the described publish action. The skill metadata does not declare these env vars/credentials (it is instruction-only), so the user must provide/configure them separately. Be cautious about how those credentials are stored and which tool/processes can access them.
Persistence & Privilege
Skill is not always-enabled and does not request persistent platform privileges. It does not attempt to modify other skills or system-wide configs in the provided instructions.
Assessment
This skill appears coherent for drafting and publishing WeChat articles, but before installing or running anything: 1) Verify the @wenyan-md/cli npm package and its source (GitHub repo, recent maintainers, license, and code) so you trust what the installer will run. 2) Be prepared to supply your WeChat AppID/AppSecret and add your machine's public IP to the official account IP whitelist — treat AppSecret like a password and do not share it. 3) When testing, use a non-critical/test official account or sandbox to confirm behavior (so accidental publishes or credential leaks don't affect a production account). 4) Avoid giving the tool access to sensitive local files you don't want uploaded. 5) If you need stronger assurance, review the wenyan-cli source code (or network traffic) to confirm it doesn't transmit credentials or data to unexpected endpoints and that it only calls the official WeChat API.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fmqmevnyxjr8dsfhy3kfys83bpr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments