ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat MP Plus

v1.0.0

Automate WeChat Official Account management with draft publishing, menu editing, auto-reply checking, and Markdown-to-HTML formatting.

0· 30·0 current·0 all-time
by@huuuwnnn-droid

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for huuuwnnn-droid/wechat-mp-plus.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WeChat MP Plus" (huuuwnnn-droid/wechat-mp-plus) from ClawHub.
Skill page: https://clawhub.ai/huuuwnnn-droid/wechat-mp-plus
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wechat-mp-plus

ClawHub CLI

Package manager switcher

npx clawhub@latest install wechat-mp-plus
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts (wechat_mp.py, publish.py, menu.py, md2html.py) implement WeChat MP features described (token management, upload, draft creation, menu, markdown→HTML). However the registry metadata claims no required env vars or credentials while SKILL.md and the code require WECHAT_MP_APP_ID and WECHAT_MP_APP_SECRET — this is an inconsistency that should be corrected.
Instruction Scope
SKILL.md limits actions to running the provided scripts and describes needed env vars or a .secrets file. The runtime behavior follows those instructions. Minor scope concerns: the SKILL.md does not document the exact filesystem paths the code will check for a .secrets/wechat_mp.env file (the code looks in specific locations), and the md2html script will attempt to install the 'markdown' package at runtime if missing.
!
Install Mechanism
There is no install spec (instruction-only), which is low risk, but md2html.py will auto-install the 'markdown' Python package via subprocess. The pip call uses the flag '--break-system-packages', which is aggressive and can alter system-managed Python packages in some environments — this increases risk and should be documented or avoided.
!
Credentials
The code reasonably requires only two credentials (WECHAT_MP_APP_ID and WECHAT_MP_APP_SECRET) for its WeChat API calls — appropriate for the stated purpose. But the registry metadata claims no required env vars (contradiction). The code also looks for a .secrets/wechat_mp.env in two specific locations (one under the user's home 'openclaw-workspace' and one relative to the script path several directories up), which could cause it to read credential files outside the skill folder; that should be explicit and verified.
Persistence & Privilege
No 'always' privilege. The only persistent write is a token cache file in the system temp directory (wechat_mp_token.json), used to store access_token and expiry; this is reasonable for token caching and scoped to the temp directory.
What to consider before installing
This skill largely does what it says (WeChat MP management), but there are a few red flags to consider before installing or running it: - Metadata mismatch: the registry lists no required env vars, but the scripts require WECHAT_MP_APP_ID and WECHAT_MP_APP_SECRET. Don't trust the registry entry — provide those credentials only if you intend to connect to your WeChat Official Account. - Check .secrets behavior: the code will try to read a .secrets/wechat_mp.env file from specific locations (~/openclaw-workspace/.secrets/wechat_mp.env and a relative parent-level .secrets directory). If you keep secrets in a different path, the script may fail or may pick up other files unexpectedly. Ensure no sensitive credentials you don't want used are in those paths. - Pip auto-install: md2html.py will run pip to install 'markdown' and uses --break-system-packages. Run the scripts in an isolated virtualenv/container (or pre-install required packages) to avoid altering system packages. - Token cache: the access_token is cached in the system temp directory; if you need stricter controls, remove or relocate that cache. Recommendations: run in an isolated environment (virtualenv or container), verify/update the registry metadata to declare required env vars, inspect or remove any unexpected .secrets files under the paths the script checks, and consider removing the '--break-system-packages' behavior or preinstalling dependencies yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bz0hpgdes8fwntngwxt2nf985p3fy
30downloads
0stars
1versions
Updated 10h ago
v1.0.0
MIT-0
@huuuwnnn-droid
latest
Download

Skill: wechat-mp-publisher

微信公众号自动化管理。支持草稿发布、菜单管理、自动回复查询、Markdown排版。

Triggers

  • "发布公众号文章", "微信公众号", "公众号草稿", "公众号菜单"
  • "wechat mp", "publish article", "mp draft"

Prerequisites

  • 环境变量 WECHAT_MP_APP_IDWECHAT_MP_APP_SECRET,或 .secrets/wechat_mp.env 文件
  • Python 3.7+

Usage

所有脚本位于 scripts/ 目录。工作目录应为 skill 根目录。

一键发布(最常用)

输入一个 Markdown 文件 + 封面图 → 自动完成图片上传、HTML转换、创建草稿。

cd skills/wechat-mp-publisher
python3 scripts/publish.py <markdown文件> <封面图> <标题> [作者] [摘要] [主题]

主题可选:default(清爽简约)、elegant(文艺范)、dark(暗色科技)

草稿管理

# 获取Token(测试连通性)
python3 scripts/wechat_mp.py token

# 上传图片素材(永久)
python3 scripts/wechat_mp.py upload <图片路径>

# 上传文内图片
python3 scripts/wechat_mp.py upload-article-image <图片路径>

# 创建草稿
python3 scripts/wechat_mp.py draft-create '{"title":"标题","author":"作者","content":"<p>内容HTML</p>","thumb_media_id":"xxx","digest":"摘要"}'

# 列出草稿
python3 scripts/wechat_mp.py draft-list [offset] [count]

# 删除草稿
python3 scripts/wechat_mp.py draft-delete <media_id>

菜单管理

# 查询菜单
python3 scripts/menu.py get

# 创建菜单
python3 scripts/menu.py create '{"button":[{"type":"view","name":"官网","url":"https://example.com"}]}'

# 删除菜单
python3 scripts/menu.py delete

自动回复查询

python3 scripts/wechat_mp.py autoreply

Markdown转HTML

python3 scripts/md2html.py <markdown文件> [主题名]

Notes

  • Token自动缓存2小时,无需手动管理
  • 所有API错误有中文提示
  • 图片支持永久素材上传和文内图片上传两种模式

Comments

Loading comments...