Rss To Wechat
v1.0.1将 RSS 文章转换为微信公众号格式。适用于:发布 RSS/博客文章到微信、格式化内容以符合微信 API、自动化微信内容发布。
⭐ 1· 328·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts, documentation, and SKILL.md align with the stated goal (fetch RSS/article → parse → generate WeChat-compatible HTML → optionally publish). Required local configuration (WECHAT_APPID/WECHAT_APPSECRET, optional COVER_SKILL and WECHAT_PUBLISH_SCRIPT) is reasonable for a WeChat publishing skill — but the registry metadata lists no required environment variables, which is inconsistent and reduces transparency.
Instruction Scope
Runtime instructions (and the included scripts) tell the agent to run local shell scripts that: fetch arbitrary URLs with curl, parse/convert content with pandoc, and invoke user-provided scripts to generate covers and publish drafts. parse-article.sh explicitly includes the comment '绕过 web_fetch 的 SSRF 限制' (bypass web_fetch SSRF restriction), which indicates an attempt to circumvent platform protections. The skill therefore performs broad network I/O and can run arbitrary local scripts provided via configuration — behaviour beyond mere formatting and requiring user scrutiny.
Install Mechanism
No install spec is provided (instruction-only plus bundled scripts), so nothing is automatically downloaded or executed at install time. All code is present in the bundle; risk comes from running scripts, not from an installer fetching remote archives.
Credentials
The bundle expects WeChat credentials and optional paths (COVER_SKILL, WECHAT_PUBLISH_SCRIPT) documented in config.example.sh, but the registry metadata declares no required env vars. This mismatch reduces transparency: secrets are supplied via a local config file (config.local.sh) rather than declared explicitly, and configurable script paths allow the skill to execute arbitrary binaries. Requesting WeChat credentials is proportionate to the publishing function, but the lack of manifest declaration and the ability to point to arbitrary executables are notable risks.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide persistent privileges in the manifest, and it does not modify other skills' configuration. Persistent behavior would come from cron/automation set up by the user (documented cron example), not from any special platform privilege.
What to consider before installing
What to check before installing/using this skill:
- Be aware this package includes runnable shell scripts that will fetch arbitrary web pages (curl) and execute user-configured scripts. Review every script (parse-article.sh, format-wechat.sh, publish-article.sh, and scripts referenced in config.local.sh) before running.
- The repo expects WeChat credentials (WECHAT_APPID and WECHAT_APPSECRET) via a local config file (config.local.sh). The skill's registry metadata does not declare required secrets — treat this as a transparency issue. Only add credentials to a local file if you trust the author and are comfortable storing them locally.
- parse-article.sh contains an explicit comment about "bypass[ing] web_fetch SSRF restriction". Ask the author to explain this or remove such behavior. Do not run the scripts in a privileged environment until you understand why the code claims to bypass platform protections.
- COVER_SKILL and WECHAT_PUBLISH_SCRIPT point to arbitrary executables: do not set those to untrusted scripts. Inspect any cover/publish script output and verify it does not exfiltrate data or leak tokens.
- Test in a sandbox: run scripts with a known safe URL and with credentials omitted to see dry-run behaviour (use --check and parse only). Configure a safe path for PUBLISH_HISTORY (it is referenced but not set by default) to avoid accidental writes.
- If you need to proceed: run bash scripts/rss-to-wechat.sh --check, inspect config.local.sh, run parse-article.sh on a sample URL and review generated JSON/HTML before any publishing step. If anything is unclear or the author cannot justify the SSRF-bypass comment, avoid using automated publishing and keep execution manual.Like a lobster shell, security has layers — review code before you run it.
latest
RSS to WeChat | RSS 转微信公众号
将 RSS 文章或任何网页内容转换为微信公众号兼容的 HTML 格式。
快速开始
# 检查配置和依赖
bash scripts/rss-to-wechat.sh --check
# 处理文章
bash scripts/rss-to-wechat.sh --url "https://example.com/article"
# 自动选择最新文章(需要 blogwatcher)
bash scripts/rss-to-wechat.sh --auto
配置
首次使用:
# 复制配置示例
cp references/config.example.sh config.local.sh
# 编辑配置
nano config.local.sh
最小配置:
WECHAT_APPID="你的AppID"
WECHAT_APPSECRET="你的AppSecret"
BRAND_NAME="你的品牌名称"
工作流程
-
数据准备(自动)
- 脚本获取并解析文章
- 提取标题、作者、内容
- 保存为 JSON
-
HTML 生成(AI 辅助)
- AI 助手生成微信兼容的 HTML
- 使用品牌配置
- 遵循严格的格式要求(见
references/html-template.md)
-
封面生成(可选)
- 如果配置了
COVER_SKILL - 生成 1283×383 封面图
- 如果配置了
-
发布(可选)
- 如果配置了微信凭证
- 通过 API 上传到草稿箱
微信 HTML 格式要求
微信 API 对 HTML 格式有严格要求:
必须使用:
<section>和<p>标签(不用<div>)- 内联样式
style="..." <strong>和<em>标签- 完整 URL(不用相对链接)
禁止使用:
class或id属性- 外部 CSS
- JavaScript
- 相对链接
详见 references/html-template.md 查看完整模板和示例。
脚本
所有脚本位于 scripts/ 目录:
rss-to-wechat.sh- 主入口parse-article.sh- 文章内容提取format-wechat.sh- HTML 格式化(已弃用,使用 AI 生成)config.sh- 默认配置test.sh- 依赖检查
参考文档
references/USER_GUIDE.md- 完整用户文档references/html-template.md- 微信 HTML 模板和样式指南references/config.example.sh- 配置示例(包含所有选项)
依赖
必需:
curl- HTTP 请求jq- JSON 处理pandoc- 格式转换
可选:
blogwatcher- RSS 订阅管理(用于 --auto 模式)- 自定义封面生成脚本
- 自定义发布脚本
配置选项
查看 references/config.example.sh 了解所有可用选项:
- RSS 源和过滤条件
- 品牌定制(名称、标语、颜色)
- 路径配置
- 外部工具集成
- 关键词过滤
故障排除
错误 45166(invalid content)
- 检查 HTML 格式是否符合要求
- 确保所有样式都是内联的
- 移除 class/id 属性
- 参考成功案例
文章解析失败
- 检查 URL 是否可访问
- 确认没有反爬虫措施
- 尝试手动提取内容
配置问题
- 运行
bash scripts/rss-to-wechat.sh --check - 确认所有必需工具已安装
- 检查微信凭证
注意事项
- 此 skill 提供数据准备和指导
- AI 助手根据模板生成最终 HTML
- 手动 HTML 生成已弃用(因微信格式要求严格)
- 本地配置(
config.local.sh)不会提交到 git
Comments
Loading comments...