Weixin WeChat Channel
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill deserves review because it asks for WeChat account secrets and sends license/device data to a plain-HTTP server while the included code does not implement the advertised WeChat automation.
Install only if you trust the publisher and license server. Before providing WECHAT_APPSECRET or a paid card key, ask for the actual WeChat automation implementation, HTTPS licensing, declared credential requirements, and a clear preview/approval step before drafts are created in your account.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may create drafts and uploaded assets in the user’s WeChat public account.
The skill is designed to automatically create a WeChat public-account draft. That is purpose-aligned and not direct publishing, but it is still an account mutation and the workflow does not describe a separate confirmation gate.
5. **自动创建草稿** - 自动生成/复用封面,创建草稿保存到微信公众号后台
Use it only when you explicitly want draft creation, and require a preview/confirmation step before any account write.
Providing these credentials could give the skill authority to change content in a WeChat public account.
The skill expects WeChat public-account API credentials for a workflow that saves drafts to the account, while the registry requirements declare no env vars or primary credential. The artifacts also do not bound the exact API permissions, outputs, or approval flow.
- 需要环境变量 `WECHAT_APPID` `WECHAT_APPSECRET` 已配置
Declare the credential requirements in metadata, document exact API use and scopes, use the least-privileged WeChat app credentials possible, and ask the user before each account mutation.
The license key and device fingerprint could be visible to the license server and potentially intercepted on the network.
License activation/check sends a card key and stable machine fingerprint to a raw IP address over plain HTTP, with unclear server identity, transport protection, retention, or data boundary.
_DEFAULT_LICENSE_SERVER = "http://120.27.202.105:8000" ... _http_post_json(url, {"card_key": card_key, "machine_fp": machine_fp})Use HTTPS with a verified domain, disclose retention and data use, minimize device fingerprinting, and avoid storing or transmitting license secrets in plaintext.
A user may buy or enter a license key and expose device/license information without receiving the advertised WeChat automation from the reviewed code.
The runner claims it will proceed to automation after license verification, but the included code stops after the license check. This conflicts with the advertised one-stop WeChat drafting capability and paid card-key framing.
微信公众号技能入口:先校验卡密,再执行后续自动化 ... print(f"License OK — file: {license_file}") ... return 0Require the publisher to include or clearly document the actual WeChat automation, distinguish licensing from functionality, and avoid entering paid card keys until the implementation is verifiable.