wechat mp push 微信公众号图文生成与推送技能
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong account or without clear approval, existing WeChat public-account drafts could be removed.
The skill documents an API action to empty the WeChat draft box for an authorized account, but the artifacts do not show confirmation, preview, scoping to skill-created drafts, or rollback.
### 清空草稿箱 ... { "action": "cleanupDrafts", "openId": "", "appId": "" }Only run draft cleanup after explicit user confirmation; ideally add a dry run, list affected drafts, require the selected appId, and restrict deletion to drafts created by this skill.
Anyone or any agent with access to the saved config.json may be able to push drafts for the authorized account through the provider service.
The skill uses a QR-derived WeChat openId and account list as delegated authority for WeChat draft operations.
"openId": "必填。微信用户 openId,由配置向导微信扫码后得到;推送 sendToWechat 必须携带。禁止编造。"
Authorize only intended accounts, review config.json before use, keep it private, and revoke or regenerate authorization if it is exposed.
Article drafts and account identifiers are transmitted to the pcloud service, or to another endpoint if apiBase is changed in the config.
The helper sends the WeChat openId, title, HTML/body content, optional cover HTML, and sendMode to the configured API endpoint.
const apiBase = cfg.apiBase || DEFAULT_API; ... const body = { action: 'sendToWechat', openId: cfg.openId, title: title.slice(0, 64), thumbImageContent, content, sendMode }; ... const res = await postJson(apiBase, body);Verify that apiBase is the expected HTTPS provider URL and avoid pushing sensitive or unreleased content unless you trust that service.
The user must trust the remote wizard and provider service to handle the WeChat authorization flow and generated config correctly.
A key authorization/configuration step depends on a remote web wizard that is not included in the reviewed package.
配置向导地址 | https://app.pcloud.ac.cn/design/wechat-mp-push.html ... 用户微信扫码 → 用户选择推送账号 → 用户复制发给AI
Use only the documented URL, confirm the operator is trusted, and inspect the returned config before saving it.
Using the skill executes local JavaScript that reads the chosen HTML/cover files and posts them to the provider API.
The skill runs a bundled Node.js script to read local files and perform the API push; this is central to the stated purpose and the script is included for review.
node push-to-wechat-mp.js targetAppId html 你的文件.html
Review generated files before pushing and run the helper only from the skill directory with intended filenames.