ClawHub

WeChat Article Creator

v1.0.0

根据主题自动生成微信公众号文章草稿。流程:搜索主题相关内容 → AI总结分析 → 排版美化 → 保存到公众号草稿箱。Use when user needs to write 公众号文章、微信公众号内容、自动创作文章、根据主题写文章。

2· 519·0 current·0 all-time
by@onwalking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's purpose (generate and save WeChat public-account drafts) aligns with what the code and SKILL.md request: Node runtime and WeChat developer credentials (WECHAT_APPID, WECHAT_SECRET). One mismatch: the registry metadata in the header lists no required env vars while SKILL.md and the code do require WECHAT_APPID/WECHAT_SECRET. package.json lists axios and dotenv though index.js does not use them; this is likely sloppy packaging rather than malicious.
Instruction Scope
SKILL.md instructs only to provide WeChat credentials, optionally a .env file, and to run the CLI; it explicitly notes the need to integrate search APIs and an LLM (which are external to this skill). The included index.js reads a local .env, accesses only api.weixin.qq.com (WeChat) and no other external endpoints, and does not attempt to read unrelated system files or exfiltrate data.
Install Mechanism
No install spec or remote downloads are present; the package is instruction+code only and requires Node. No archive downloads or third-party install URLs were found.
Credentials
The only sensitive environment variables referenced are WECHAT_APPID and WECHAT_SECRET, which are appropriate for the described functionality. Note the inconsistency: registry metadata earlier said 'Required env vars: none' while SKILL.md and the code require those two vars. Also package.json lists dotenv (and axios) as dependencies even though index.js implements a simple .env parser and uses https; this is likely harmless but worth auditing.
Persistence & Privilege
The skill is not always:true and does not request elevated platform privileges. It does read a local .env and can call WeChat APIs using provided credentials; it does not modify other skills or system-wide settings.
Assessment
This skill appears coherent for creating WeChat article drafts and legitimately needs WECHAT_APPID and WECHAT_SECRET. Before installing: (1) confirm the registry metadata mismatch (some headers claim no env vars) and only provide the WeChat credentials you intend for draft creation; avoid using high-privilege or unrelated credentials. (2) Store secrets safely (prefer runtime environment variables over committing a .env to shared folders). (3) Audit package.json dependencies (axios/dotenv are declared but not used in index.js) and run npm audit if you install dependencies. (4) Be aware the skill contains functions to request a WeChat access token and create drafts — if the agent is allowed to invoke the skill autonomously it can call api.weixin.qq.com with the provided credentials, which is normal for this use case. (5) The skill does not include integrated search/LLM logic; integrating those tools may require additional API keys — review those external integrations separately. If you need higher assurance, ask the author to reconcile the metadata, remove unused dependencies, and provide a minimal README explaining exactly what network calls the skill makes.

Like a lobster shell, security has layers — review code before you run it.

latestvk979f7qxcbd0y4vy782s6thvz9835tdg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsnode
Environment variables
WECHAT_APPIDrequired
WECHAT_SECRETrequired

Comments