Wechat Mini App
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may invoke behavior that is not what the mini-app helper description suggests.
This bundled script presents unrelated content-creation functionality under the same wechat-mini-app name, contradicting the skill's stated WeChat Mini App development purpose.
# wechat-mini-app - Chinese content creation tool ... Commands: write, title, outline, polish, hashtag, platform, hot, template, translate, proofread
Remove or rename the unrelated script, or clearly document it as a separate feature with matching metadata and command guidance.
Topics or text passed to the content commands may remain on disk after the task is finished.
The script creates persistent local storage and writes command inputs to a history log, but SKILL.md does not disclose this local retention behavior.
DATA_DIR="${WECHAT_MINI_APP_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/wechat-mini-app}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Make logging opt-in, document the storage path and retention behavior, and provide a clear cleanup command or disable logging by default.
Generated snippets may request permissions, handle payments, store tokens, or clear app storage if used without review.
The mini-app helper generates code snippets for payment, login/token storage, location, scanning, and storage operations. These are expected for a WeChat Mini App developer helper, but they affect user data or app behavior if copied into a real app.
print("APIs: request, login, pay, share, storage, location, scan") ... "wx.requestPayment({" ... "wx.getLocation({" ... "wx.clearStorageSync();"Treat the generated code as a template only; review permissions, token handling, payment flows, and storage clearing before shipping.
It is harder to verify provenance or understand which included script will actually run.
The registry metadata does not provide a verified source or homepage and does not explain how the bundled scripts are installed or invoked.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: 2 code file(s)
Prefer a package with consistent source metadata, a clear install spec, and documented executable entry points.