WeChat GZH
v1.0.0微信公众号管理 skill。支持获取 Access Token、永久素材管理、发布能力(发布草稿、查询发布状态、获取已发布列表、删除发布文章)。触发词:微信公众号、wechat gzh、发布图文、素材管理。
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe WeChat Official Account management and the code implements token handling, material upload, draft/publish flows and calls only api.weixin.qq.com endpoints — this is coherent with the stated purpose.
Instruction Scope
SKILL.md permissions state the skill may read 'workspace files and environment variables', but the implementation reads a specific config file (~/.wechat_gzh_config.json) and any local files the user explicitly provides for upload; the code does not read arbitrary env vars. Minor mismatch between declared permissions and actual behavior.
Install Mechanism
There is no install spec (instruction-only install) and the package contains a Python script only. The _meta.json mentions a dependency on 'requests'; there is no download from external URLs or archive extraction — low install risk but runtime requires 'requests' available.
Credentials
The skill requires an AppID and AppSecret stored in a local config file (recommended permission 600). It does not declare or require unrelated credentials. SKILL.md's mention of reading environment variables is not reflected in the code — slight inconsistency but not dangerous by itself.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It only reads its own config file and user-specified files; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears to implement exactly what it claims: it needs your WeChat AppID and AppSecret (stored in ~/.wechat_gzh_config.json by default) and will make HTTPS calls to api.weixin.qq.com. Before enabling: (1) create the config file with correct permissions (chmod 600) and avoid storing secrets in shared locations; (2) review the included scripts/wechat_gzh.py yourself if you want extra assurance; (3) be aware that uploading a local file will transmit its bytes to WeChat servers; (4) ensure the runtime has the 'requests' library installed; (5) note the small documentation mismatch where SKILL.md mentions environment-variable access — the code does not use env vars, but double-check your environment if you intend to run it.Like a lobster shell, security has layers — review code before you run it.
latestvk97atvnddsbh5cwkbn6ysvh3c583wrrh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.