微信公众号运营工具
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may grant WeChat API access from an IP that is not their own, expanding the account permission boundary for a public publishing account.
The skill requires sensitive WeChat account credentials and instructs users to whitelist a specific fixed IP address without explaining who controls it or why it is necessary.
拥有公众号 AppID + AppSecret(管理员后台查看)
- 调用服务器 IP `112.8.202.216` 已加入 IP 白名单
- 凭证保存在 `{workspace}/wechat_credentials.json`Only whitelist an IP address you control or a clearly documented trusted runtime IP; verify 112.8.202.216 before adding it, and rotate the AppSecret if it may have been exposed.
Running the script on the wrong file or account could create unintended drafts or upload unintended images to the WeChat account.
The script performs real WeChat API mutations by uploading media and creating an account draft. This is aligned with the skill's purpose, but it changes account state.
功能: 1. 读取 wechat_credentials.json 获取 AppID 和 AppSecret 2. 获取 Access Token 3. 上传封面图到永久素材 4. 将 Markdown 转换为微信草稿 JSON 5. 提交草稿到公众号
Run the script only on intended article and cover files, and review the generated draft in WeChat before public publishing.
Anyone who obtains the saved browser state may be able to reuse the WeChat login session for account operations.
The browser automation workflow saves and reloads a logged-in WeChat public-platform session file. This is disclosed and purpose-aligned, but the file is sensitive.
agent-browser state save wechat-mp-auth.json # 之后使用时加载状态 agent-browser state load wechat-mp-auth.json
Store the browser state file securely, do not commit or sync it, and delete it when no longer needed.
Future package versions or a compromised package source could affect the helper scripts.
The install guide asks users to install unpinned Python dependencies. These packages are normal for the included scripts, but versions and hashes are not fixed.
pip install requests Pillow
Install from a trusted Python environment and consider pinning known-good versions of requests and Pillow.