微信公众号运营工具
ReviewAudited by ClawScan on May 12, 2026.
Overview
The skill largely matches WeChat account operations, but it asks for sensitive account credentials and tells users to whitelist a fixed, unexplained IP address.
Before installing, confirm that you understand where the WeChat AppSecret and browser session file will be stored, never share or commit them, and do not add 112.8.202.216 to your WeChat IP whitelist unless you can verify it is the correct trusted runtime IP for your setup.
Publisher note
微信公众号运营全流程技能。覆盖选题研究、内容创作、图片生成、内容优化、API直写草稿箱/排版校对、定时发布、数据分析等完整环节。与 humanizer、agent-browser、automation-workflows、 baidu-search、多模态内容生成 等技能协同工作。 触发词:公众号运营、微信推文、公众号排版、公众号发布、写推文
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may grant WeChat API access from an IP that is not their own, expanding the account permission boundary for a public publishing account.
The skill requires sensitive WeChat account credentials and instructs users to whitelist a specific fixed IP address without explaining who controls it or why it is necessary.
拥有公众号 AppID + AppSecret(管理员后台查看)
- 调用服务器 IP `112.8.202.216` 已加入 IP 白名单
- 凭证保存在 `{workspace}/wechat_credentials.json`Only whitelist an IP address you control or a clearly documented trusted runtime IP; verify 112.8.202.216 before adding it, and rotate the AppSecret if it may have been exposed.
Running the script on the wrong file or account could create unintended drafts or upload unintended images to the WeChat account.
The script performs real WeChat API mutations by uploading media and creating an account draft. This is aligned with the skill's purpose, but it changes account state.
功能: 1. 读取 wechat_credentials.json 获取 AppID 和 AppSecret 2. 获取 Access Token 3. 上传封面图到永久素材 4. 将 Markdown 转换为微信草稿 JSON 5. 提交草稿到公众号
Run the script only on intended article and cover files, and review the generated draft in WeChat before public publishing.
Anyone who obtains the saved browser state may be able to reuse the WeChat login session for account operations.
The browser automation workflow saves and reloads a logged-in WeChat public-platform session file. This is disclosed and purpose-aligned, but the file is sensitive.
agent-browser state save wechat-mp-auth.json # 之后使用时加载状态 agent-browser state load wechat-mp-auth.json
Store the browser state file securely, do not commit or sync it, and delete it when no longer needed.
Future package versions or a compromised package source could affect the helper scripts.
The install guide asks users to install unpinned Python dependencies. These packages are normal for the included scripts, but versions and hashes are not fixed.
pip install requests Pillow
Install from a trusted Python environment and consider pinning known-good versions of requests and Pillow.