Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeWrite
v1.1.3微信公众号内容全流程助手:热点抓取 → 选题 → 框架 → 写作 → SEO/去AI痕迹 → 视觉AI → 排版推送草稿箱。 触发关键词:公众号、推文、微信文章、微信推文、草稿箱、微信排版、选题、热搜、 热点抓取、封面图、配图、写公众号、写一篇、主题画廊、排版主题、容器语法。 也覆盖:markdown 转微信格式...
⭐ 1· 359·4 current·4 all-time
byRay Wang@oaker-io
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a WeChat public-account content pipeline, which reasonably needs WeChat API credentials and an image-generation API key and may call web search/LLM. However the package declares no required environment variables or primary credential, yet scripts/instructions clearly expect: wechat appid/secret (fetch_stats.py), an image API key (SKILL.md checks image.api_key), and LLM/LLM-provider keys (build_playbook.py mentions ANTHROPIC_API_KEY / ARK). Also some toolkit scripts probe multiple config locations (including Path.home()), which goes beyond the stated baseDir. These mismatches (needed secrets not declared; cross-dir config probing) are incoherent with the declared metadata.
Instruction Scope
SKILL.md instructs the Agent to run many local Python scripts, read and write files under the skill directory, and to call external services (WeChat datacube APIs, web_search, image generation). The scripts also look for config files in the user's home (~/.config/wewrite/config.yaml) and CWD, so the agent may read user config outside the skill folder. The pipeline also runs 'git pull origin main' to update itself. These runtime steps are within the skill's purpose but extend scope to: (1) reading config files in user home, (2) network requests to APIs, and (3) pulling remote code — all of which are not reflected in the skill's declared requirements and should be explicitly called out to the user.
Install Mechanism
There is no install spec (instruction-only), which reduces upfront supply-chain risk. However the repository contains many Python scripts and a requirements.txt; SKILL.md suggests running 'pip install -r requirements.txt' when dependencies are missing. That means code will be executed locally with dependencies installed ad-hoc by the user/agent. No archived/remote installers were included, which is lower installer risk, but executing 'git pull origin main' later can replace local code with remote code and is a runtime supply-chain vector.
Credentials
The skill requests no environment variables in metadata, but code and instructions clearly require credentials: WeChat appid/secret (fetch_stats.py), an image API key (image generation module and SKILL.md), and optionally LLM API keys (build_playbook.py mentions ANTHROPIC_API_KEY / ARK API key). The skill also searches multiple config paths (including the user's home directory) for config.yaml, which may cause it to read unrelated credentials on the host. The missing declaration of these required secrets and the wide config path probing are disproportionate and increase risk.
Persistence & Privilege
always: false (good). The skill can be invoked autonomously (disable-model-invocation: false), which is normal. It also includes an update step that runs 'git pull origin main' in the skill directory; while updating itself is understandable for a tool, it gives the skill the ability to change its code at runtime when the agent executes that step. Combined with the other concerns (undeclared credentials, home-config probing), this increases the operational blast radius and warrants caution.
Scan Findings in Context
[wechat_api_call_in_fetch_stats.py] expected: fetch_stats.py makes requests to api.weixin.qq.com and requires wechat appid/secret — this is expected for a WeChat article assistant. However the skill metadata did not declare required WeChat credentials.
[llm_key_requirement_in_build_playbook.py] expected: build_playbook.py comments state it requires ANTHROPIC_API_KEY or ARK API key. That's plausible because the script prepares prompts for LLM analysis, but the skill metadata does not declare any LLM API key requirements.
[reads_home_config_TOOLKIT_CONFIG_PATHS] unexpected: scripts (e.g., fetch_stats.py) look for config.yaml in multiple locations including Path.home()/.config/wewrite/config.yaml and Path.cwd(). Reading user home config is broader than a skill confined to its baseDir and may expose unrelated secrets — this is not justified in the metadata.
[git_pull_update_in_SKILL.md] expected: SKILL.md instructs running 'git pull origin main' to update the skill. Self-update is a plausible feature but performs network fetches and can replace local code; combined with missing declared requirements it increases risk and should be made explicit to the user.
What to consider before installing
In plain terms — the skill appears to do what it says (write and publish WeChat articles), but its code and runtime steps expect credentials and access that were not declared in the skill metadata, and it will look for config files beyond the skill folder and can pull code from the network.
Before installing or running this skill:
- Expect to provide WeChat credentials (appid + secret) if you want publishing/stats to work, and an image API key if you want image generation. The skill does not list these as required env vars, so supply them consciously and avoid putting other secrets in the same config file.
- Review toolkit/wechat_api.py, scripts/fetch_stats.py, and toolkit/image_gen.py to confirm what is sent to external endpoints and whether any identifiers are logged or transmitted.
- Be cautious about the 'git pull origin main' update step: running it will fetch and run remote code. Only run updates from a trusted repository or inspect the fetched changes before executing.
- The scripts search multiple config locations (including ~/.config/wewrite/config.yaml). If you have unrelated configs in your home directory, move or inspect them; sensitive credentials there could be read.
- Dependencies are installed ad-hoc via pip if needed; run pip install in a virtualenv or sandbox and inspect requirements.txt first.
- If you want minimal risk, run the skill in an isolated environment (container or VM), give it only the credentials it needs for the features you intend to use, and avoid granting it broad access to your home directory or long-lived LLM keys unless necessary.
If you want, I can list the specific files and lines that reference external endpoints, home paths, or LLM keys so you (or an admin) can audit them before use.Like a lobster shell, security has layers — review code before you run it.
latestvk9749ve86yyes0ny2bj69ya9z583y945
License
MIT-0
Free to use, modify, and redistribute. No attribution required.