微信公众号文章自动生成发布
ReviewAudited by ClawScan on May 12, 2026.
Overview
The skill appears purpose-aligned for creating WeChat drafts, but it handles AppSecret credentials, uses a fixed IP whitelist, and writes to the WeChat account, so users should verify setup before use.
Before installing or using this skill, confirm that you trust the execution environment, that the fixed IP address is the correct one to whitelist in WeChat, and that the credential file is stored securely. Expect the script to upload the selected cover image and create a draft in the configured WeChat public account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill must protect the AppSecret and should only whitelist an IP they trust as the actual execution environment.
The skill asks the user to store WeChat account secrets locally and modify the WeChat API IP whitelist. This is expected for the integration, but it affects the account security boundary.
添加服务器出口 IP:`112.8.202.216` ... 创建 `wechat_credentials.json`: { "appid": "你的AppID", "appsecret": "你的AppSecret" }Verify that 112.8.202.216 is the correct outbound IP for your agent or server before adding it to the WeChat whitelist, and keep wechat_credentials.json out of shared folders and source control.
Running the publish script will create material and a draft in the configured WeChat public account.
The script uses the WeChat API to upload a permanent cover image and submit a draft. These are intended actions, but they mutate the user's WeChat account.
media_id = upload_permanent_material(token, cover_path) ... submit_draft(token, draft)
Run the script only after reviewing the article, cover image, target account credentials, and whether you want the draft created.
Users may need to install dependencies manually, which can introduce normal package provenance and version risks.
The included scripts depend on external Python packages, but there is no pinned install specification or lockfile in the artifacts.
No install spec — this is an instruction-only skill.
Install requests and Pillow from trusted package sources, consider pinning versions in your own environment, and review dependency changes before use.