Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
文颜
v1.0.0通过 wenyan-cli,快速将带 frontmatter 的 Markdown 文章发布到微信公众号,支持主题管理和图片自动上传。
⭐ 1· 260·0 current·0 all-time
byLei@caol64
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes installing @wenyan-md/cli and publishing Markdown to WeChat — this matches the skill name/description. However the registry metadata declares no required environment variables or credentials, while the instructions explicitly reference WECHAT_APP_ID and WECHAT_APP_SECRET and optional --server/--api-key flags. That mismatch is unexplained.
Instruction Scope
The instructions are narrowly scoped to installing the CLI, preparing frontmattered Markdown, uploading images, and invoking wenyan publish/theme commands. They reference local files (markdown, images, theme CSS) and WeChat credentials which are appropriate for the task and do not ask the agent to read unrelated system data.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md instructs the user to run `npm install -g @wenyan-md/cli`. Installing from npm is common and reasonable for this purpose, but the package provenance is not provided (no homepage/repo listed). Without a known upstream (GitHub, official site) this increases risk — recommend verifying the npm package and author before installing.
Credentials
The instructions require WECHAT_APP_ID and WECHAT_APP_SECRET (and possibly server API keys), which are proportionate to publishing to a WeChat public account. The concern is that the skill metadata declared no required env vars or primary credential, so the registry does not accurately represent the secret access needed.
Persistence & Privilege
The skill is instruction-only, always:false, and does not request persistent or elevated platform privileges. It does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (publish Markdown to WeChat using wenyan-cli) but there are two practical concerns: (1) the SKILL.md requires WeChat credentials (WECHAT_APP_ID and WECHAT_APP_SECRET) even though the registry metadata lists none — confirm you are comfortable providing those secrets; (2) the instructions ask you to install an npm package (@wenyan-md/cli) but no homepage/source/repository is provided in the skill metadata. Before installing or running it, verify the npm package author and repository, inspect the package contents (npm pack + untar or review the GitHub repo) or run it in an isolated environment (container/VM). Consider using a limited or test WeChat account or rotating credentials you can revoke, and avoid pasting secrets into unknown web UIs. If you want, I can help look up the @wenyan-md/cli npm package and its maintainers so you can check provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk972jh042fkhy0b3mrr2jp798h82vnyp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.