Xiaohu WeChat Format
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches its WeChat publishing purpose, but it can upload article-referenced files or URLs to WeChat, use sensitive account/API secrets, auto-post comment replies, and edit article files with limited safeguards.
Use local formatting and previews freely, but before enabling publishing or comment replies, protect config.json, run dry-runs, inspect all image sources in imported articles, avoid untrusted HTML, require explicit confirmation for WeChat writes, and back up articles before cover insertion.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken image reference in imported/edited HTML could cause the agent to fetch internal URLs or upload unintended local files to WeChat CDN/material APIs.
Article HTML src values can drive both remote downloads and local file reads before uploading to WeChat, and the shown code does not restrict hosts or confine local paths to the article/image directory.
if src.startswith("http://") or src.startswith("https://"): local_path = download_external_image(src) ... cdn_url = upload_content_image(token, local_path) ... local_path = article_dir / src ... upload_content_image(token, str(local_path))Before publishing, inspect image sources; the skill should reject absolute paths and '..' traversal, resolve paths under an allowed image directory, allowlist remote image domains, validate real image MIME types before upload, and ask before fetching unusual external URLs.
One confirmed run could post AI-generated public replies from the user's WeChat account across multiple comments, which may create reputational or moderation problems.
The comment helper has a dry-run option, but the default documented run scans and sends AI-generated replies rather than requiring per-comment approval.
python3 comment_reply.py # 扫描并回复 ... parser.add_argument("--dry-run" ... ) ... if args.dry_run: ... continue ... ok, resp = send_reply(...)Use --dry-run first, limit the article count, review generated replies manually, and prefer a workflow that requires explicit approval for each public reply.
A user's article file may be changed unexpectedly when they only intended to generate a cover image.
The cover subskill instructs the agent to modify the provided article file by default without asking the user first.
如果输入是文章路径,**默认直接插入**(不用询问):- 用 Markdown 图片格式 `` 插入文章标题(H1)下一行
Ask before editing source articles, show a diff, and write to a copy or create a clear backup before modifying the original file.
The cover-generation workflow may push an AI provider toward content it would otherwise decline or handle more cautiously.
The fixed image prompt tells the generation model not to refuse in sensitive/copyright-person scenarios, which can override normal safety or rights-related judgment.
若涉及敏感或版权人物,用风格相似的替代形象,不得拒绝生成
Remove refusal-suppression wording and let the user and provider safety controls decide whether a requested cover is appropriate.
Anyone who gets the config can potentially use the WeChat account APIs or the configured AI provider key.
The skill expects WeChat and AI API credentials for publishing, comments, and generation; this is purpose-aligned, but these credentials authorize sensitive account actions.
"wechat": { "app_id": "YOUR_APP_ID", "app_secret": "YOUR_APP_SECRET" } ... "api_key": "YOUR_OPENROUTER_API_KEY"Keep config.json private, use least-privilege credentials where possible, rotate keys if exposed, and ensure registry metadata accurately declares credential needs.
Comment and article content may be shared with the configured AI provider during reply generation.
The auto-reply helper sends article summaries and reader comments to a configurable external AI chat-completions endpoint.
user_msg += f"文章内容摘要:{article_digest}\n" ... user_msg += f"\n读者评论:{comment_content}\n\n请生成回复:" ... requests.post(f"{ai_config['url']}/chat/completions"Use a trusted provider, avoid sending sensitive/private comments unless necessary, and disclose this data flow before enabling AI replies.
Public or semi-private account interaction data can remain on disk after the task, and future runs rely on that state.
The comment helper stores reply state and logs comment content/replies locally for reuse across runs.
STATE_PATH = SCRIPT_DIR.parent / "comment_state.json"; LOG_PATH = SCRIPT_DIR.parent / "comment_reply.log" ... log(f" 💬 [{item['comment_id']}] {content}")Review and periodically delete comment_reply.log and comment_state.json if not needed, and avoid logging sensitive comments.
Future package changes could alter behavior when the command is run in a fresh environment.
The documented runtime commands fetch packages by name without pinned versions; this is normal for an instruction-only Python skill but affects reproducibility and supply-chain review.
uv run --with markdown --with requests --with pillow python {skill}/scripts/publish.pyPin dependency versions or provide a reviewed lock/install spec for repeatable execution.