ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Markdown 发布为微信公众号草稿(wenyan-cli;主题、代码高亮)。公众号发布。

v1.0.0

Markdown 发布为微信公众号草稿(wenyan-cli;主题、代码高亮)。公众号发布。

0· 169·0 current·0 all-time
by@hidebug

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hidebug/xqx-wechat-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Markdown 发布为微信公众号草稿(wenyan-cli;主题、代码高亮)。公众号发布。" (hidebug/xqx-wechat-publisher) from ClawHub.
Skill page: https://clawhub.ai/hidebug/xqx-wechat-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: WECHAT_APP_ID, WECHAT_APP_SECRET
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xqx-wechat-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install xqx-wechat-publisher
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and required credentials (WECHAT_APP_ID, WECHAT_APP_SECRET) match the claimed WeChat publishing purpose. The script calls the wenyan CLI to publish, which is consistent with the skill description.
!
Instruction Scope
SKILL.md instructs the agent to call another skill (xqx-image-generator) and to localize/download generated images — that cross-skill behavior is explicit and expected. However the shipped script (scripts/publish.py) also attempts to read credentials from a specific file (~/.openclaw/workspace/TOOLS.md) if environment variables are not set. That file access is not declared in the skill metadata (no required config paths), which is an incoherence and a scope creep: the agent will look for and parse a local file for secrets beyond only using process env vars.
!
Install Mechanism
There is no install spec in the registry metadata, but the runtime script will attempt to run 'npm install -g @wenyan-md/cli' if the wenyan CLI is missing. That performs a global network install at runtime (requires npm and network access) and can modify the system global npm packages. This implicit install is a higher-risk action than an instruction-only skill and is not surfaced in metadata.
Credentials
Requesting WECHAT_APP_ID and WECHAT_APP_SECRET is proportionate to publishing to WeChat. Note: the script will also try to extract these values from ~/.openclaw/workspace/TOOLS.md if env vars are absent; that local file read is additional credential access not declared in requires.config and may expose other secrets stored in that file.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide config. Autonomous invocation is the platform default and is not by itself a concern here.
What to consider before installing
What to consider before installing: - Credentials: This skill needs your WeChat AppID and AppSecret. Provide them via environment variables rather than committing them to files in source control. The script will also try to read ~/.openclaw/workspace/TOOLS.md for these values—verify and sanitize that file if you rely on it. - Implicit global install: The included script will attempt to run 'npm install -g @wenyan-md/cli' if the wenyan CLI is missing. That will fetch and install code from the npm registry at runtime and modify global npm state. Only proceed if you trust @wenyan-md/cli and you are comfortable allowing a runtime global npm install (or preinstall wenyan-cli yourself in a controlled way). - Filesystem access: The script reads a fixed path (~/.openclaw/workspace/TOOLS.md). If you do not want code to read that file, ensure the file does not contain secrets or run the script with WECHAT_* env vars set and/or remove/lock that path. - Cross-skill behavior: The agent instructions call xqx-image-generator and require downloading generated images locally. Verify you trust the image-generator skill and audit any network activity that results from downloading images. - Operational safety: Run the tool in an isolated environment (container or dedicated machine) if you are unsure, and review the wenyan-cli project (https://github.com/caol64/wenyan-core or the cli repo) before allowing the skill to install dependencies or publish content. If you need higher assurance, modify the script to remove the implicit npm install and to fail rather than read TOOLS.md.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvWECHAT_APP_ID, WECHAT_APP_SECRET
Primary envWECHAT_APP_SECRET
latestvk970fgj5zhd94fqtqj96hs3hv184h48c
169downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@hidebug
latest
Download

wechat-publisher

Agent Instructions

触发条件:用户提到「发布到公众号」「wechat publish」「公众号发布」等。

执行流程

  1. 确认 Markdown 文件路径
  2. 检查 frontmatter 是否包含 titlecover
  3. 若 cover 缺失:调用 xqx-image-generator 生成封面(见「图片生成」)
  4. 若正文需配图:调用 xqx-image-generator(见「图片生成」)
  5. 图片必须本地化:生成后下载到文章目录(如 ./assets/),frontmatter 与正文用本地路径,禁止只用 URL
  6. 在 wechat-publisher 目录执行:python scripts/publish.py <path>;失败见 references/troubleshooting.md

环境变量

变量必需说明
WECHAT_APP_ID公众号 AppID
WECHAT_APP_SECRET公众号 AppSecret

WECHAT_APP_IDWECHAT_APP_SECRET 必须同时配置,缺一不可(缺一则 publish.py 无法取 token)。metadata.openclaw.primaryEnv 仅用于注册表/客户端标示「主凭证」字段,两项均在 requires.env 中且均为必填

可由进程环境注入,或由 publish.py 从工作空间的 TOOLS.md 中获得 WECHAT_APP_ID / WECHAT_APP_SECRET的值。勿将真实凭证提交到 Git。运行机 IP 须在 公众平台 → 开发 → 基本配置 → IP 白名单

图片生成

调用 xqx-image-generator 文生图;该 skill 只返回图片 URL,须自行下载到文章目录(如 ./assets/cover.jpg),frontmatter / 正文写本地路径。

封面(cover 缺失):提示词用文章 title + 用户指定风格;宽高比默认 16:9;cover: ./assets/cover.jpg

正文配图:提示词按用户指定或上下文;默认 16:9;正文 ![](./assets/xxx.jpg)

运行要求与命令

  • Python:执行 publish.py
  • npm / Node:首次需安装 wenyan-cli(脚本会执行 npm install -g @wenyan-md/cli);之后依赖 wenyan 命令

Frontmatter(缺一报错「未能找到文章封面」):

---
title: 文章标题(必填)
cover: ./assets/cover.jpg
---

# 正文...

发布(cwd 为 wechat-publisher):

cd $OPENCLAW_WORKSPACE/wechat-publisher
python scripts/publish.py /path/to/article.md

主题与高亮:python scripts/publish.py article.md [theme] [highlight],默认 lapissolarized-light。失败最多再试 3 次。

核心约束

项目要求
title必填
cover必填(官方文档可省 cover,当前工具链实测需填)
图片本地路径;wenyan 上传素材
代码块自动高亮 + Mac 风格

参考资料

Comments

Loading comments...