Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Mp Toolkit
v1.0.0微信公众号完整工具包,包括文章创作、封面生成、自动发布、热点分析等功能。适用于公众号运营者。
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match a WeChat publishing tool, and the code calls the WeChat API as expected. However the repo contains hardcoded appID/appSecret values in config/config.json and in scripts (which is unexpected when requires.env lists no credentials). SKILL.md references many scripts (create-article.js, generate-cover.js, publish-article.js, hotspot-analyzer.js, schedule-publish.js, batch-publish.js, stats.js) that are not present in the file list — only full-workflow.js and publish-existing.js exist. SKILL.md instructs editing config/wechat-config.json but the repo uses config/config.json. These mismatches reduce coherence between stated purpose and the actual bundle.
Instruction Scope
SKILL.md instructs network calls to news sources and to api.weixin.qq.com (expected) and to install ImageMagick (expected). But runtime instructions and scripts reference system/global paths (/root/.openclaw/..., /root/.openclaw/workspace-operator/skills/wechat-cover-generator/...) and execute an external cover script if present. The code writes/reads files under /root and /tmp, runs shell commands (execSync) and 'convert' — actions that reach outside the skill's own directory and can execute arbitrary code. SKILL.md also contains unicode-control-chars prompt-injection signals (scanner flagged this). The SKILL.md is vague about which files/credentials must be set and gives broad instructions, granting the agent substantial discretion.
Install Mechanism
There is no install spec (instruction-only install), and dependencies are standard Node packages (axios/form-data). That is low-risk in itself. However the shipped package includes runnable JS scripts and a package-lock.json; since there is no installation sandbox, running the supplied scripts will execute code from the repo on the host.
Credentials
The skill declares no required env vars or primary credential, yet the repo embeds appID/appSecret in config/config.json and duplicates them in scripts — this is disproportionate and risky. The presence of apparently real credentials in repo files (and absolute paths pointing to /root) is a red flag: credentials should be supplied via environment or a secure config, not hardcoded. SKILL.md suggests editing a different config filename than exists, so there is also confusion about where secrets should live.
Persistence & Privilege
always:false (good). But the code writes to and executes from absolute root-owned paths (/root/.openclaw/...), calls other-skill locations, and uses execSync to run external scripts and binaries. Combined with autonomous invocation being allowed by default, these behaviors increase blast radius if the skill is run automatically. The skill does not appear to modify other skills' configs directly, but it intentionally references them which is a privilege/scope creep.
Scan Findings in Context
[unicode-control-chars] unexpected: Pre-scan flagged unicode-control-chars in SKILL.md. The skill includes emoji and could contain control unicode that may be used for prompt manipulation; this is not expected for a standard README/SKILL doc and warrants manual review.
What to consider before installing
Do not run these scripts on a production host without review. Specific actions to consider before installing or executing: 1) Treat the embedded appID/appSecret in config/config.json and scripts as secrets that may be leaked — do not use them. Replace with your own credentials stored securely (environment variables or a secure config) and remove any hardcoded secrets. 2) Audit the two provided JS scripts line-by-line (or run them in an isolated VM/container) — they execute shell commands, run external scripts by absolute path, write under /root, and call other skill locations; all of which can execute untrusted code. 3) Fix mismatches: SKILL.md references many scripts that are missing and mentions a different config filename; ask the author for a complete, consistent release. 4) Remove or inspect any unicode-control characters in SKILL.md (scanner flagged potential prompt-injection). 5) If you intend to test, do so in a sandbox (throwaway VM or container), and rotate any WeChat credentials that may have been exposed by the repo. 6) Prefer a version that requires explicit env vars for credentials (declared in metadata) and confines file I/O to the skill workspace rather than absolute root paths. If the author cannot address these issues, consider the skill unsafe for use with real account credentials.scripts/full-workflow.js:165
Shell command execution detected (child_process).
scripts/publish-existing.js:98
Shell command execution detected (child_process).
scripts/full-workflow.js:223
File read combined with network send (possible exfiltration).
scripts/publish-existing.js:51
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97dc6rtead4zwhv1arjp5cz9d843w91
License
MIT-0
Free to use, modify, and redistribute. No attribution required.