md2WeChat-python
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims, but draft mode intentionally uses WeChat credentials and uploads article content and images to WeChat.
This skill is reasonable for its stated purpose. Before installing, make sure you trust it with the intended WeChat public account credentials, protect any .env file, use --convert-only when you only want local HTML, and use --draft only when you are ready to upload the article and images to WeChat.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the tool with only a Markdown file and valid WeChat credentials will attempt to upload a draft instead of only producing local HTML.
Draft upload is the CLI default unless --convert-only is selected, so users and agents should choose the mode deliberately.
mode_group.add_argument('--draft', action='store_true', default=True,
help='转换并上传到微信草稿箱(默认模式)')Use --convert-only for local conversion, and use --draft only when the user explicitly wants content uploaded to WeChat.
Anyone with access to the configured AppID and AppSecret can use the skill to upload materials and create drafts in that WeChat account.
The skill uses WeChat public-account credentials to act on the configured account, which is expected for draft creation but still sensitive.
appid = os.environ.get('WECHAT_APPID')
secret = os.environ.get('WECHAT_SECRET')
...
client = WeChatSkillClient(appid=appid, secret=secret)Store the .env file securely, use credentials only for the intended WeChat account, and rotate the secret if it may have been exposed.
Article text and referenced images may leave the local machine and be stored by WeChat when draft mode is used.
Draft mode sends the converted article content to the WeChat API; the same client also uploads images to WeChat endpoints.
url = f"https://api.weixin.qq.com/cgi-bin/draft/add?access_token={self.client.access_token}"
...
'content': article['content'],Only use draft mode for content and images that are intended to be uploaded to WeChat, and review the generated draft in the WeChat platform.
A later dependency release could change behavior or introduce vulnerabilities if installed without a lockfile.
The dependency list uses lower-bound versions rather than exact pins, which is common but gives future package versions influence over the installed environment.
wechatpy>=1.8.18 markdown>=3.4 beautifulsoup4>=4.12 requests>=2.28 python-dotenv>=1.0 Pillow>=9.0 cryptography>=40.0
Install in a virtual environment and consider pinning or locking dependency versions before using the skill with production credentials.