ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

微信公众号自动排版发布---一键安装

部署微信公众号发布Agent团队(画境视觉设计+数澜运营发布),含封面设计、排版美化、API发布、数据分析。使用 /wechat-publisher-setup 触发部署,需先安装 content-creation。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 55 · 0 current installs · 0 all-time installs
by@little-ke
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (WeChat publisher setup) align with requiring Node and providing scripts/templates for two agents. The requested capabilities (deploy templates, write an .env with AppID/AppSecret, call WeChat API) are consistent with the stated purpose.
!
Instruction Scope
SKILL.md instructs storing credentials at ~/.openclaw/workspace-wechat-publisher/.env and copying scripts into that workspace. However, the runtime script (wechat_publish.cjs) is coded to load environment from ~/.openclaw/workspace-content-team/.env (and cache token in workspace-content-team). The script will error unless a differently-named workspace exists, and — more importantly — will read/write files in a workspace directory that is NOT the one the deploy instructions create. This is a scope mismatch and could cause the skill to read other workspaces' credentials or write token cache into a different workspace than expected. The setup script also enforces the presence of a content-creation team by parsing openclaw agents list in a slightly different way than the SKILL.md describes (checks for specific agent ids).
Install Mechanism
No remote downloads or package installs; the skill is instruction-heavy and ships two local Node scripts which are copied into the user's ~/.openclaw workspace. No suspicious external URLs or archive extraction steps are present.
!
Credentials
The skill does not declare required env vars in registry metadata (none declared) but asks the user to input WECHAT AppID/AppSecret and then writes them to an .env in ~/.openclaw/workspace-wechat-publisher/.env. Meanwhile the script looks for and caches tokens in ~/.openclaw/workspace-content-team (a different path). That means the executable will access config paths belonging to another workspace (workspace-content-team), which is disproportionate and incoherent: either the SKILL.md or the script is wrong. This introduces risk of accidental access to credentials from other workspaces.
Persistence & Privilege
The skill writes files into the user's home (~/.openclaw/workspace-wechat-publisher) and registers agents via the openclaw CLI — expected for a deployment tool. It does not request 'always: true' or alter other skills' configurations explicitly, but because the script targets a different workspace path (workspace-content-team) it may create or modify files outside its own workspace which is a privilege concern.
What to consider before installing
This package mostly does what it claims (deploys two local agents and provides a Node script to call WeChat APIs), but there are clear inconsistencies you should address before trusting it: 1) The SKILL.md tells you to store credentials at ~/.openclaw/workspace-wechat-publisher/.env, but the script (wechat_publish.cjs) reads ~/.openclaw/workspace-content-team/.env and caches tokens in that other directory. That means the script may read or write credentials in a different workspace than the one the installer creates. 2) The setup script invokes the openclaw CLI to register agents and requires certain existing agents; inspect the commands it will run (it uses execSync) and consider running it in a controlled environment or doing a dry run. Recommended actions: - Do not enter real AppID/AppSecret until you confirm and fix the path mismatch in wechat_publish.cjs (search for defaultEnvPath/defaultTokenCachePath and change to workspace-wechat-publisher). - Inspect the scripts locally (they are small) to verify they only contact api.weixin.qq.com and do not exfiltrate data elsewhere. - If you will use this on production credentials, back up your existing ~/.openclaw directory and run the setup in an isolated account or VM first. - Ask the skill author to correct the inconsistent workspace names and to explicitly declare which config path the script will use. If you cannot get a corrected version, consider manually deploying the templates and using a vetted WeChat publish tool instead.
scripts/setup.cjs:25
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971d15ckfkn7adz5hvddj12mh83hyfd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

SKILL.md

微信公众号发布团队 - 自动部署

当用户调用 /wechat-publisher-setup 时,执行以下步骤部署 2 人微信发布 Agent 团队。

概述

部署微信公众号专属的发布团队:

  • 画境(视觉设计师)、数澜(运营分析师)

Step 1:环境检查

  1. 确认 OpenClaw 已安装
  2. 确认 content-creation 团队已部署(检查 mobai/tanfeng/jinshu 是否已注册)
    • 未部署 → 提示"请先运行 /content-creation 部署内容创作团队"→ 终止
  3. 检查是否已存在 huajing/shulan Agent
    • 已存在 → 提示是否覆盖

Step 2:配置微信公众平台 API

向用户说明:API 对接用于自动化发布和数据拉取。

依次询问:

  1. 账号类型:订阅号 / 服务号
  2. AppID(公众平台后台 → 开发 → 基本配置)
  3. AppSecret

可选: 4. 是否已将服务器 IP 加入白名单?

将凭证写入安全配置文件:

mkdir -p ~/.openclaw/workspace-wechat-publisher
cat > ~/.openclaw/workspace-wechat-publisher/.env << 'EOF'
WECHAT_APP_ID=用户输入的AppID
WECHAT_APP_SECRET=用户输入的AppSecret
WECHAT_API_BASE=https://api.weixin.qq.com
WECHAT_ACCOUNT_TYPE=用户选择的账号类型
EOF
chmod 600 ~/.openclaw/workspace-wechat-publisher/.env 2>/dev/null || true

验证连通性:

node {baseDir}/scripts/wechat_publish.cjs token

Step 3:部署文件

  1. {baseDir}/templates/ 复制文件到: 
    ~/.openclaw/workspace-wechat-publisher/huajing/
~/.openclaw/workspace-wechat-publisher/shulan/
  2. 复制 {baseDir}/scripts/wechat_publish.cjs~/.openclaw/workspace-wechat-publisher/scripts/
  3. 输出进度: 
    [1/2] huajing(画境 - 视觉设计师)→ 已部署
[2/2] shulan(数澜 - 运营分析师)→ 已部署

Step 4:注册 Agent

openclaw agents add huajing \
  --name "画境" \
  --workspace "~/.openclaw/workspace-wechat-publisher/huajing" \
  --description "微信视觉设计师 - 封面设计与排版美化"

openclaw agents add shulan \
  --name "数澜" \
  --workspace "~/.openclaw/workspace-wechat-publisher/shulan" \
  --description "微信运营分析师 - API发布与数据分析"

Step 5:验证

  1. 确认 2 个 agent 注册成功
  2. 输出部署报告: 
    ✅ 微信发布团队部署完成
├── 🎨 画境(视觉设计师)    → 已就绪
└── 📊 数澜(运营分析师)    → 已就绪
  3. 提示:使用 /wechat-publish-workflow 启动微信发布流水线
  4. 发布脚本位置:{baseDir}/scripts/wechat_publish.cjs

错误处理

  • content-creation 未部署 → 提示先安装
  • 微信 API token 获取失败 → 检查 AppID/AppSecret、IP 白名单
  • Agent 注册失败 → 检查重名

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…