Wechat MP Article Stats Comments Suite - 微信公众号管理套件
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This WeChat management skill mostly matches its stated purpose, but it uses powerful account credentials and can leak a saved WeChat cookie to arbitrary URLs or apply user-management actions across all configured accounts.
Use this only in a controlled environment for WeChat accounts you manage. Avoid setting WECHAT_MP_COOKIE unless you are fetching a trusted WeChat page, keep WECHAT_MP_ACCOUNTS limited to the accounts you intend to modify, and manually confirm any publish, delete, comment, or blacklist operation before execution.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cookie is set, fetching an untrusted article or image URL could disclose the user’s WeChat session cookie to that site.
The script accepts a caller-provided URL and attaches WECHAT_MP_COOKIE to the request without a WeChat-domain allowlist, so a sensitive session cookie could be sent to a non-WeChat or attacker-controlled URL.
url = str(req.get("url") or "").strip() ... cookie = str(req.get("cookie") or os.environ.get("WECHAT_MP_COOKIE", "")).strip() ... if cookie: headers["Cookie"] = cookie ... requests.get(url, headers=headers, timeout=timeout)Do not set WECHAT_MP_COOKIE globally unless necessary; only fetch trusted WeChat URLs while it is set. The skill should restrict cookie forwarding to approved WeChat domains or require an explicit per-request cookie decision.
A mistaken or overbroad blacklist/unblacklist request could affect followers across multiple WeChat public accounts instead of just one.
When WECHAT_MP_ACCOUNTS is configured, the user-management command loop applies the requested action to every configured account; for blacklist mutations there is no visible target-account selector in this script.
accounts, err = _load_accounts() ... for acc in accounts or []: ... elif cmd == "blacklist_add": data, err = _cmd_blacklist_add(token, req)
Use a single-account environment for sensitive operations, review the JSON request before running it, and prefer adding explicit target-account selection and confirmation for blacklist changes.
The skill can change public-account content and follower state, not just read information.
The skill clearly documents mutating WeChat operations, including deleting drafts/comments, submitting drafts for publication, and blacklisting users; these are purpose-aligned but high impact.
草稿管理:批量获取草稿、获取详情、删除草稿 ... 将草稿提交发布 ... 评论管理 ... 删除评论 ... 用户管理 ... 批量拉黑
Only install it for accounts you administer, and require human review before publish, delete, comment-moderation, or blacklist actions.
Future package changes or a compromised dependency could affect the skill’s behavior.
The documented setup installs unpinned packages directly from the Python package ecosystem; this is common for a Python utility but does not provide version pinning or a lockfile.
pip install requests markdown pillow
Install in a virtual environment and pin reviewed dependency versions if using this for important accounts.