WeChat MP Reader

This skill does what it says (fetch WeChat articles and optionally use the WeChat MP backend), but pay attention to these points before installing or using it: - Sensitive session material: The skill can accept WECHAT_MP_COOKIE and WECHAT_MP_TOKEN from environment variables or obtain them via a QR login flow. When successful it will write session data and login state to files under scripts/cache/ (e.g., session.json, login-state.json). Those files contain cookies/tokens and should be treated as secrets — do not enable this on shared hosts or without auditing the code. - Missing dependency declarations: The skill relies on Python packages (requests and Playwright) and a runnable Playwright WebKit. The registry entry does not declare these dependencies or provide an install step, so the agent host may lack required binaries. Install Playwright and test in a controlled environment first. - Limit the blast radius: If you only need public-article extraction, prefer providing article URLs and avoid using the 'session' features (search/list) which require login. If you do use session features, run the skill in an isolated container/VM, inspect and delete the saved session files after use, and avoid supplying session material from accounts you cannot afford to expose. - Code review & provenance: The source owner is unknown and the package homepage is missing. If you will provide login credentials or use QR login, review the code paths that save and load cookies (scripts/wechat_mp_reader/session_store.py and qr_login.py) and confirm there are no unexpected network calls to endpoints other than mp.weixin.qq.com or obvious avatar/content URLs. - Operational hygiene: After use, remove saved session and state files from scripts/cache/, rotate any exposed credentials, and consider running the skill with minimal privileges and network access restricted to necessary domains.