Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeChat Social Automation
v0.1.1自动管理微信公众号和朋友圈内容,实现文章发布、定时推送、互动分析及粉丝管理功能。
⭐ 0· 279·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is for managing WeChat public accounts and friend-circle posts, and the SKILL.md requests WECHAT_APP_ID, WECHAT_APP_SECRET, and WECHAT_TOKEN — those credentials are appropriate for the claimed purpose. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent with the instructions and reduces trust.
Instruction Scope
SKILL.md describes publishing, scheduling, analytics, and fan management and instructs users to provide WeChat credentials or add them to TOOLS.md. The instructions do not ask the agent to read unrelated system files or external secrets, but they are vague about how API integration will be performed (no endpoints, no auth flow, and many features are marked unimplemented). This ambiguity could lead to the agent asking for sensitive info without a clear, implemented backend.
Install Mechanism
No install spec and no code files (instruction-only) — minimal installation risk because nothing is downloaded or written by the skill itself. However, because the skill is not implemented, functionality depends on external integration that is not specified.
Credentials
The SKILL.md requires AppID/AppSecret/Token which are reasonable for WeChat API access, but the registry metadata does not declare any required env vars or primary credential (mismatch). The README suggests adding secrets into a TOOLS.md file (plaintext), which is insecure. The skill requests sensitive credentials without describing secure handling, storage, or scoping.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-level privileges. As instruction-only, it does not modify other skills or system configs according to the provided files.
What to consider before installing
This skill claims to automate WeChat accounts and its SKILL.md asks for your AppID/AppSecret/Token — those are valid credentials for the claimed task. However, the registry metadata does not list any required secrets (inconsistent), the integration is marked unimplemented, and the README suggests putting credentials into TOOLS.md (plaintext). Do not supply credentials until you verify how they will be used and stored: ask the developer how API calls are performed, whether secrets are stored encrypted or in a vault, request the actual implementation/source code, and prefer using platform-managed secret fields rather than embedding credentials in files. If you must test, create a limited-scope/test WeChat account or API key and avoid using production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972dqgw8xq3admjzcxszsczn182te0x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.