WechatSync
v1.0.1Multi-platform article publisher and content distribution tool. Sync and cross-post Markdown/HTML articles to 27+ platforms including Zhihu (知乎), Juejin (掘金)...
⭐ 1· 345·0 current·0 all-time
by@lljxx1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (multi-platform article publisher) matches the declared binary (wechatsync), the npm package (@wechatsync/cli) used to install that binary, and the single required env var (WECHATSYNC_TOKEN) which the SKILL.md describes as a local token for CLI-extension communication.
Instruction Scope
SKILL.md instructs installing an npm CLI and a Chrome extension and describes a localhost token-based IPC model; the instructions stay within the publishing/extraction workflow (sync, platforms, extract) but rely on a browser extension that uses existing cookies to call platform APIs — the doc claims 'no third-party server involved' and 'data stays local', which is plausible but must be verified by inspecting the extension and CLI source and runtime behavior.
Install Mechanism
Install is a standard npm package (@wechatsync/cli) which produces the expected binary. This is an appropriate and proportional install mechanism for a CLI tool; moderate risk inherent to installing npm packages (audit source before installing).
Credentials
Only one env var (WECHATSYNC_TOKEN) is required and is described as a locally-created token for CLI<->extension communication — this is proportionate. However, the browser extension will use browser cookies (session auth) to act on platforms; those cookies/extension permissions are powerful and should be reviewed before granting.
Persistence & Privilege
Skill is not forced-always present and does not request system-wide config paths or other skills' credentials. Autonomous invocation is allowed (default) but not combined with other concerning privileges.
Assessment
This skill appears coherent for a local CLI that talks to a browser extension to publish/sync articles. Before installing or using it: 1) Install the npm package only from the official package and verify the package name/version on the project homepage (GitHub). 2) Install the Chrome extension only from the official Web Store link and review its permissions and source code if possible — the extension will use your browser cookies to act on platforms and could act with your logged-in sessions. 3) Treat WECHATSYNC_TOKEN as a local secret and do not share it; follow the SKILL.md advice to create it locally. 4) If you need stronger assurance that 'no third-party server' is involved, inspect the extension and CLI network activity (e.g., with a local proxy) or review their source to confirm they only communicate over localhost. 5) If you are uncomfortable granting a browser extension access to site cookies or installing an npm CLI you haven't audited, do not proceed.Like a lobster shell, security has layers — review code before you run it.
latestvk97dah253wv9910fm8e6gvjxtx82m137
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis
Binswechatsync
EnvWECHATSYNC_TOKEN
Primary envWECHATSYNC_TOKEN
Install
Node
Bins: wechatsync
npm i -g @wechatsync/cli