Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Audio to WeChat Article
v0.1.0Turn meeting audio or a transcript plus optional images into a publish-ready WeChat Official Account article. Use when the user wants to go from 录音/文字稿/会议内容/...
⭐ 0· 43·0 current·0 all-time
byKoi@jinhuadeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included scripts and instructions: transcription → brief → article JSON → WeChat markdown. However the pipeline hardcodes absolute paths to a local workspace and to another skill's transcription script (meeting-minutes-whisper), which is unexpected for a portable skill and suggests undeclared dependencies.
Instruction Scope
SKILL.md stays within the claimed scope (transcribe/clean → brief → draft → markdown → optional handoff). It references handing off to a WeChat publishing workflow but does not itself perform network publishing. Instructions and referenced files do not request unrelated data or env vars.
Install Mechanism
No install spec (instruction-only) — lowest install risk. But the packaged Python scripts will execute locally and invoke other scripts via subprocess; there is no sandboxing or verification of those external scripts. The lack of an install step means the skill assumes a local environment layout rather than installing known releases.
Credentials
The skill declares no required environment variables or credentials and the code does not read secrets or env vars. That is proportionate to its stated purpose. Note: the publish handoff references a separate WeChat posting workflow that would require credentials, but this skill does not request them.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The scripts read and write files in the local filesystem (creating output files near the given prefix) but do not modify other skills' configurations.
What to consider before installing
This skill's behavior is broadly consistent with its description, but exercise caution before running the bundled scripts: they call /usr/bin/python3 and run other local scripts via subprocess, and they refer to absolute paths inside /Users/meizi/.openclaw/... (including a dependency on meeting-minutes-whisper). These issues are probably sloppy packaging rather than malice, but they mean the code will execute other local files if those paths exist. Before installing or running: (1) review the four Python scripts line-by-line (you already have them); (2) change absolute BASE/WHISPER paths to relative paths or confirm they point to the intended local copies; (3) verify the referenced meeting-minutes-whisper and baoyu-post-to-wechat scripts are trusted and inspect any publishing workflow for required credentials; (4) run in a sandboxed environment (container or VM) if you will execute uploaded audio or unknown files. If you want higher assurance, ask the author to remove hardcoded paths and to declare any cross-skill dependencies and required credentials explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk9705xpyj29401z3st7920bs6s84gfr4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.