wechat-message

The skill's stated local-only automation purpose is plausible, but its documentation/code enable sending chat content to external AI endpoints (and the package metadata omits the API key requirement), creating a privacy/exfiltration mismatch that should be probed before installing.

This skill appears to be a real WeChat UI automation tool, but there are two red flags you should address before installing or running it: (1) SKILL.md documents an automatic-reply feature that sends chat text to an AI API and requires CHAT_API_KEY, yet the registry metadata does not declare any required environment variables — confirm where/how you must supply the key. (2) The README asserts 'all operations are local' while the auto-reply feature will transmit messages to whatever api_url you configure (remote servers could receive private conversations). If you plan to use auto-reply, point api_url to a trusted/local server or avoid using auto_process entirely. Also review the included scripts/wechat.py yourself (or run in a sandbox/VM) to verify there are no hardcoded endpoints or unexpected network calls, and be cautious granting macOS accessibility/screen-recording permissions. If you need higher confidence, ask the publisher to update registry metadata to declare CHAT_API_KEY and to clearly document what data is sent to external services or request a code audit.