ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mp Publisher

v1.0.1

Automates WeChat article workflow: generates topics, drafts, reviews, creates images, and publishes drafts to the official account.

0· 90·0 current·0 all-time
by吴曦@wuxixixi

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wuxixixi/mp-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Mp Publisher" (wuxixixi/mp-publisher) from ClawHub.
Skill page: https://clawhub.ai/wuxixixi/mp-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mp-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install mp-publisher
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (WeChat article workflow + publishing drafts) match the implemented functionality: lib/draft_publisher.py interacts with the WeChat API, lib/image_generator.py calls a DMX image API, SKILL.md documents WECHAT_APP_ID/WECHAT_APP_SECRET and DMX_API_KEY. However, the registry metadata declares no required env vars or primary credential while the code and SKILL.md clearly require two secrets; this mismatch is surprising and should be resolved before trusting the skill.
Instruction Scope
SKILL.md stays on-topic: it documents the workflow, file locations under ~/.openclaw, required env files, IP whitelist for WeChat, and that it only creates drafts. The runtime instructions and role mapping align with the code behavior (parsing article files, generating images, uploading to WeChat). There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no formal install spec in the registry, but package includes scripts/setup.sh which copies files into ~/.openclaw/workspace-*, creates .env templates, and invokes pip to install requests and wechatpy. This is a reasonable local install approach, but the skill will write to the user's home and install Python packages—users should review the script before running it.
Credentials
The code legitimately requires WECHAT_APP_ID and WECHAT_APP_SECRET (used to fetch access_token and create drafts) and DMX_API_KEY (used to generate images). These are proportionate to the declared purpose. The concern is that the registry metadata did not list these required env vars (package.json does list them under config.env, but the registry summary shows none), which is an inconsistency that could lead users to miss supplying or auditing sensitive keys.
Persistence & Privilege
The skill does not request always:true and is user-invocable. setup.sh writes files into ~/.openclaw workspace subdirectories and installs helper scripts there; this is scoped to its own workspace and does not modify other skills or global agent settings. No evidence of elevated or hidden persistence beyond installing its own tools.
What to consider before installing
What to consider before installing: - The skill requires two secrets (WECHAT_APP_ID & WECHAT_APP_SECRET) and a DMX API key — those are necessary for its claimed WeChat publishing and image-generation functionality. Do not provide those credentials unless you trust the code and the DMX provider. - The registry metadata did not declare required env vars, but the SKILL.md and code do; this discrepancy is a red flag about packaging hygiene. Inspect SKILL.md, package.json, and the code yourself (they are included) before running any setup script. - setup.sh will create directories and .env templates under ~/.openclaw and copy Python scripts there; it also attempts to pip-install packages (requests, wechatpy). Run the script in a controlled environment (or review/edit it) rather than executing blindly. - Verify the DMX_BASE_URL and DMX provider (default https://www.dmxapi.cn) are intended; if you prefer a different image service, change the code or envs. - Recommended precautions: review the Python files (draft_publisher.py, image_generator.py, workflow-monitor.py) to ensure no secrets are being logged or sent to unexpected endpoints; run first in a sandbox or VM; supply least-privileged credentials; add the host IP to WeChat whitelist only after validating behavior. Why 'suspicious' not 'malicious': The code implements exactly what the skill advertises and uses appropriate APIs, but the packaging/metadata inconsistency and the fact that setup writes to the home directory and installs packages without a registry-declared install spec are concerning enough to require human review before use. Additional information that would raise confidence: amended registry metadata listing required env vars, a trusted upstream repository URL and release artifacts, or a signed/verified package release.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wcrpzsty6tbyjr5t8g0b89847wd8
90downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
吴曦@wuxixixi
latest
Download

SKILL.md - 公众号文章发布流程

描述

完整的公众号文章发布工作流:选题生成 → 撰稿 → 审稿 → 配图 → 发布草稿。

触发条件

  • 用户说"今天写X篇"
  • 用户说"选题X"或"选X"
  • 用户要求生成选题、写文章、发布公众号

工作流程

资料员(选题)→ 用户选择 → 撰稿员(搜索+撰写)→ 审稿员 → 美工(4图)→ 主编(发布草稿)

角色分工

角色agentId职责
资料员work生成选题(arXiv论文+AI新闻)
撰稿员writer搜索资料、撰写文章
审稿员reviewer评分审核(>=90分通过)
美工designer生成4张配图(封面+3内页)
主编mp-editor发布到公众号草稿箱

配置要求

1. 微信公众号配置

~/.openclaw/workspace-mp-editor/.env 中配置:

WECHAT_APP_ID=your_app_id
WECHAT_APP_SECRET=your_app_secret

IP白名单:需在公众号后台添加运行机器的IP地址。

2. 配图API配置

~/.openclaw/workspace-designer/.env 中配置:

DMX_API_KEY=your_api_key

3. 工作目录

  • 文章存储:~/.openclaw/workspace-work/
  • 配图存储:~/.openclaw/workspace-designer/images/
  • 流程状态:~/.openclaw/workspace-work/.workflow-state.json

文章规范

标题格式

新闻事件 + 工程师视角的判断问题

结构要求

  • 开头:第一段说清核心论点
  • 结构:论点 → 论证 → 结论
  • 配图标记:【配图1】【配图2】【配图3】
  • 结尾:有变化的判断表达,避免"吴曦的判断"固化模式

审稿评分

  • = 90分:通过,启动美工

  • < 90分:返回修改(最多3次)

配图规格

  • 数量:4张(封面 + 3张内页)
  • 尺寸:1376×768(16:9)
  • 风格:科技感、简洁

使用方法

生成选题

用户:今天写三篇

系统会:

  1. 启动资料员生成选题
  2. 展示选题让用户选择
  3. 用户选择后启动撰稿流程

选择选题

用户:选题1、2、3

系统会启动对应数量的撰稿任务。

文件结构

mp-publisher/
├── SKILL.md              # 本文件
├── scripts/
│   ├── workflow-monitor.py    # 流程监控
│   └── setup.sh               # 环境初始化
├── templates/
│   └── article.md        # 文章模板
└── lib/
    ├── image_generator.py     # 配图生成
    └── draft_publisher.py     # 草稿发布

依赖

  • OpenClaw subagent 系统
  • 微信公众号 API
  • DMX API(配图生成)
  • arxiv-watcher 技能(论文搜索)
  • tavily 技能(新闻搜索)

注意事项

  1. IP白名单:发布前确保机器IP在公众号白名单中
  2. 并发控制:多篇文章可并行处理
  3. 状态追踪:每篇文章末尾有 <!-- STATUS: xxx --> 标记
  4. 自动发布:不尝试自动发布,只创建草稿

版本: 1.0.0 更新: 2026-04-04

Comments

Loading comments...