微信小程序自动化测试
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it claims—automate WeChat Mini Program testing—but it can execute local automation scripts, control DevTools, submit UI actions, and save logs or screenshots.
Install only if you are comfortable giving the skill local automation control over WeChat DevTools. Use test projects and accounts, verify the npm dependency, review batched scripts before they run, and treat generated screenshots/log reports as potentially sensitive.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Automated clicks and inputs may create test data, submit forms, or trigger real app actions.
The predefined form test can submit a form inside the Mini Program. This is expected for UI testing, but it can mutate app state if pointed at a live environment.
runner.click("button[type='submit']").wait(2)Use a test project, test backend, and test account; review batched actions before running them.
Running the skill executes locally generated automation code on the user's machine.
The automation engine generates temporary JavaScript files and executes them with Node. This is central to the testing workflow, but it is still local code execution.
with open(script_path, "w", encoding="utf-8") as f:\n f.write(automation_script)\n...\nsubprocess.run(\n ["node", script_path],
Run only with trusted test parameters and review generated or planned scripts when actions affect important projects.
Users must install and trust an external npm package and local Node tooling for the skill to work.
The skill relies on an external global npm package. This dependency is documented, but the registry install spec and required binaries are not declared.
Install: `npm install -g miniprogram-automator`
Install dependencies from trusted sources, check package provenance, and consider pinning versions in your own environment.
The local DevTools service port lets automation inspect and control the running Mini Program session.
The skill connects to a local WebSocket service exposed by WeChat DevTools. This is expected for automation, but it is a control/data channel into the DevTools session.
Enable "Service Port" ... ws_endpoint="ws://localhost:9420"
Enable the service port only when needed and keep the endpoint local and trusted.
Screenshots, logs, and reports may preserve sensitive test data on disk.
The console reader can export project paths and collected logs into local reports. This is expected for debugging, but logs may contain sensitive app or user data.
"project_path": self.project_path,\n "total_logs": len(logs),\n "logs": [log.to_dict() for log in logs]
Avoid using production secrets or real user data in tests, and clean up generated screenshots/reports when no longer needed.