微信公众号文章排版

This skill appears to implement the advertised Markdown→WeChat HTML workflow and to include publishing support, but there are mismatches and privacy concerns you should address before installing: - The SKILL.md says it auto-loads ~/.openclaw/.env for WECHAT_APP_ID and WECHAT_APP_SECRET, but the skill metadata lists no required env vars — expect to provide WeChat credentials if you use publishing. Confirm the metadata reflects this. - Inspect scripts/publish.py and scripts/format.py (search for network endpoints, external hosts, and any non-WeChat POST destinations). Verify publish.py uses official WeChat API endpoints (e.g., api.weixin.qq.com) and does not send content/credentials to other servers. - Check what exactly the loader does with ~/.openclaw/.env. If it blindly loads every variable from that file into the process, it could expose unrelated secrets. Consider moving only the necessary WECHAT credentials to a dedicated env file or pass them at runtime. - Because the skill bundles runnable Python code, run it first in an isolated environment (container or VM) and use --dry-run where available. Review logs and network traffic during a test run. - Verify the output directory and any hardcoded paths (config.json.vault_root) are acceptable for your environment; change them before running if needed. If you want, I can: (a) scan the full contents of scripts/format.py and scripts/publish.py for network calls, string obfuscation, or secret exfiltration indicators; or (b) suggest minimal sandbox commands to run a safe dry-run.