WechatSync
ReviewAudited by ClawScan on May 10, 2026.
Overview
WechatSync is a purpose-aligned publishing tool, but users should understand it relies on an external npm CLI, a Chrome extension, browser login sessions, and can upload selected content to third-party platforms.
Before installing, make sure you trust the WechatSync npm package and Chrome extension, understand that selected articles and images will be sent to the target platforms, and run sync commands only after confirming the file and destination platforms. Use dry-run or draft review where possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong file or platforms, the tool could create drafts or upload media under the user's logged-in accounts.
The skill intentionally uses existing browser login sessions to act on content-platform accounts. This is expected for cross-posting, but it is sensitive account authority.
Platform logins: Log in to target platforms in browser (extension uses existing browser cookies, no credentials are stored or transmitted)
Use only with accounts you intend to publish from, confirm the target platforms before syncing, review created drafts, and revoke or rotate the token if no longer needed.
A mistaken command could send the wrong article or images to multiple services, though the skill states articles sync as drafts by default.
The documented command can cross-post a selected article to multiple third-party platforms. This is the skill's stated purpose and is scoped by file and platform arguments.
wechatsync sync article.md -p juejin,zhihu,csdn
Confirm the file path and platform list, consider using `--dry-run` first, and review the returned draft URLs before publishing.
Trust in the installed npm package and browser extension is necessary because they handle publishing actions and browser-session access.
The skill depends on external runtime components that are not included in the submitted artifact set. This is normal for this integration, but those components were not analyzed by the provided static scan.
Install with `npm install -g @wechatsync/cli` ... Chrome extension ... Install from Chrome Web Store ... or download ZIP
Install from official sources, verify the package and extension publisher, review requested browser-extension permissions, and prefer pinned or known-good versions where possible.
Users could misunderstand the privacy boundary if they read 'all data stays local' as meaning content is never uploaded anywhere.
The 'all data stays local' wording should be read carefully because the skill's publishing function necessarily sends selected articles and images to target platforms and their CDNs.
Security model: All data stays local... The extension calls platform APIs directly from the browser... Images auto-uploaded to target platform CDN
Clarify that there is no WechatSync intermediary server, but selected article content and images are still sent directly to the chosen publishing platforms.