ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wechat-mp-draft-publisher

v0.0.1

Publish WeChat Official Account draft articles through a packaged CLI executable that wraps WeChat API calls. Use when the user wants to publish or create a...

0· 65·0 current·0 all-time
by@mesus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the wrapper enforces getAuth -> uploadArticleImage -> uploadCoverImage -> addDraft. Requiring a local WeChat credentials file (~/.weixin_credentials) and optionally a CLI binary or GitHub release is consistent with the purpose. However, registry metadata claimed no required config paths or env vars while the SKILL.md and scripts require/accept MP_WECHAT_* env vars and the ~/.weixin_credentials file — a metadata mismatch (declaration vs actual requirements). The scripts also rely on common tools (curl, python3, unzip, file, sed, awk, grep) though the skill metadata lists no required binaries.
Instruction Scope
SKILL.md keeps instructions focused on uploading images and creating drafts and documents the run order and required local files. The wrapper enforces the sequence and emits structured JSON. The script does not read arbitrary system files beyond checking for existence of ~/.weixin_credentials, nor does it transmit data to unexpected endpoints by itself. It does, however, run an external mp-weixin-skill binary (user-provided or auto-downloaded) and will execute that binary with credentials-derived tokens — this expands runtime scope to whatever that binary does (the wrapper does not inspect or sandbox it).
!
Install Mechanism
Although the installer supports GitHub releases (expected), it also accepts direct arbitrary URLs and will download and execute or extract the asset without validating checksums or signatures. The installer uses curl/unzip and Python to parse release JSON and will place a downloaded binary under <skill>/bin and mark it executable. Auto-downloading and running an unverified binary from a user-provided URL (or from a GitHub release with no verification) is high-risk.
!
Credentials
The skill requires a local credentials file (~/.weixin_credentials with appid/secret) but the registry metadata listed no required config paths — this omission is a material mismatch. The installer will also use a GITHUB_TOKEN environment variable if present to authenticate GitHub API/asset downloads (reasonable for private releases), so users should be aware the script will include that header when calling GitHub. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes the downloaded executable into the skill's bin directory and executes it — normal for a wrapper but effectively grants the skill persistent executable code (the downloaded binary) that will run on invocation. Autonomous invocation is allowed by default (not flagged by itself) but increases blast radius because the skill executes external code.
What to consider before installing
This skill appears to do what it claims (publish WeChat drafts), but take these precautions before installing or running it: 1) The wrapper requires a local credentials file at ~/.weixin_credentials (appid/secret) but that requirement is not declared in the registry metadata — only provide credentials you trust and consider using a service account with limited permissions. 2) Prefer supplying a vetted local mp-weixin-skill binary via --bin or MP_WECHAT_CLI_BIN rather than allowing the installer to auto-download an executable. 3) If you must auto-download, point MP_WECHAT_GITHUB_REPO to the official repository and verify release checksums/signatures out-of-band; avoid arbitrary MP_WECHAT_RELEASE_URL values from untrusted hosts. 4) Be aware the installer will use your GITHUB_TOKEN env var if present; avoid exposing a highly privileged token. 5) Inspect the mp-weixin-skill binary source (or run it in a sandbox/container) before use, since the wrapper executes that binary and will inherit any behavior it contains. If you cannot verify the released binary or prefer safer operation, decline auto-download and run a known-good local CLI instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hy8bpw1x874njpb8v90qm183t4zg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments