Wechat Article Auto Gen

This skill largely does what its description promises, but there are several red flags you should consider before installing or using it: - Hard-coded API key: SKILL.md contains a literal API key and API URL for a third‑party image service. Treat this as suspicious — it may be a placeholder, a leaked key, or an invitation to use someone else's quota. Do not rely on embedded keys; require the author to remove it and document how to supply your own credential via environment variables or config. - Missing code provenance: The documentation mentions multiple code files (scraper.py, rewriter.py, etc.) but the package contains only SKILL.md and _meta.json. Ask the publisher for the full source or provenance before trusting runtime behavior. - Network and data exfiltration risk: At runtime the skill will fetch arbitrary web articles and send content to external services (image generation API, potentially LLM endpoints). That can leak copyrighted or sensitive contents. Verify legal compliance for scraping target sites and ensure you control which external endpoints are used. - Replace hard-coded secrets and review endpoints: If you plan to run this, replace any embedded keys with your own credentials, whitelist allowed external hosts, and run the skill in a network-restricted/sandboxed environment until you can confirm behavior. - Ask for clarifications: Request the missing code files, a clear list of all external endpoints the skill calls, and explicit instructions on how to supply credentials. If the author cannot provide these, treat the skill as untrusted. If you must test it: run in an isolated environment, monitor outbound network traffic, and do not use sensitive or production credentials until you've verified the code and provenance.