md2wechat
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: md2wechat Version: 2.0.7 The md2wechat skill provides a comprehensive interface for a CLI tool designed to convert Markdown files into WeChat Official Account articles. It handles sensitive WeChat credentials (WECHAT_APPID, WECHAT_SECRET) and local configuration files, but its instructions in SKILL.md are strictly aligned with its stated purpose of content creation, image generation, and draft management. The skill includes safety-oriented instructions for the agent, such as validating configurations and requiring explicit user consent before performing remote actions or draft creation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Content may be made to appear more human-authored than it is, creating disclosure, ethics, or compliance risks.
The skill explicitly advertises altering content to make AI authorship less visible, which can mislead readers or reviewers of public-facing WeChat content.
write with creator styles or remove AI writing traces
Use humanizing only for legitimate editing, not to evade disclosure or detection; require user review before publishing or uploading drafts.
Anyone or any agent process with access to these environment variables may be able to act against the connected WeChat Official Account.
The skill needs WeChat Official Account credentials for account-affecting operations. This is expected for draft upload, but those credentials are sensitive.
Draft upload and publish-related actions require `WECHAT_APPID` and `WECHAT_SECRET`.
Use the least-privileged WeChat app credentials available, keep them out of shared logs/projects, and rotate them if exposed.
Mistaken invocation could upload or create unwanted draft/post content in the connected WeChat account.
The documented command set can create WeChat drafts or image posts. This is purpose-aligned, but it mutates an external account state.
`md2wechat convert article.md --draft --cover cover.jpg` ... `md2wechat create_draft draft.json` ... `md2wechat create_image_post -t "Weekend Trip" --images photo1.jpg,photo2.jpg`
Prefer preview, inspect, and dry-run flows first, and require explicit user approval before running draft or image-post creation commands.
Article content or image prompts could leave the local machine depending on the configured provider/API endpoint.
The skill uses API/provider-backed modes for conversion or image generation, so article text, prompts, or images may be processed by configured external services.
`convert` defaults to `api` mode ... Image generation may require additional image-service configuration in `~/.config/md2wechat/config.yaml`.
Review provider settings and base URLs before using private content; avoid sending confidential drafts to untrusted services.
A future upstream change could alter the installed CLI behavior without the skill artifact changing.
The Go install path follows the latest module version rather than a pinned version. This is common for CLI installation but reduces reproducibility.
go | module: github.com/geekjourneyx/md2wechat-skill/cmd/md2wechat@latest
Install from a reviewed release or pin a known-good version where possible.