Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Miniprogram Toolkit
v1.0.0微信小程序全栈开发 skill,支持项目初始化、云开发(数据库/存储/云函数/聚合查询/事务)、用户登录鉴权、微信支付(JSAPI/统一下单/支付通知/退款)、直播/实时音视频(TRTC)、数据分析/埋点、分享海报/朋友圈分享、TypeScript 泛型封装、云托管(容器化后端)、客服消息、订阅消息、客服自动回复...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (WeChat mini program full-stack toolkit) matches the provided SKILL.md and reference documents (auth, cloud-dev, ci-cd, payment, etc.). The only code file is a subpackage analysis Python script which is directly relevant to the described 'analyze subpackages' capability. No unrelated binaries or environment variables are required by the skill itself.
Instruction Scope
Runtime instructions are focused on project init, running the included scripts (scripts/analyze_subpackages.py), and generating CI/CD configs. Reference docs include examples that call cloud functions and report analytics (wx.cloud.callFunction, wx.reportEvent) and CI/CD examples that require AppSecret/private key secrets in GitHub Actions. Those examples are expected for this domain but grant the skill authority to (a) read project files it is asked to analyze and (b) produce CI/CD configs that reference or consume secrets. You should review scripts/analyze_subpackages.py before running it in your workspace, and review any generated CI workflow before enabling it.
Install Mechanism
No install spec — instruction-only plus a small Python script. This is low risk compared to download/install flows. Optional tooling (miniprogram-ci, Node, Python) are described as project dependencies or CI runner tools and are reasonable for the stated features.
Credentials
The skill itself declares no required environment variables or credentials. Reference docs and CI/CD examples legitimately describe using WEAPP_APPID/WEAPP_APP_SECRET/WEAPP_PRIVATE_KEY, WEIXIN_MCH_KEY, DATABASE_URL, etc., which are appropriate for building/publishing and payment backends. Two practical cautions: (1) the CI examples show writing secrets into files (echoing secrets into private.weapp.key) — this is common but can be mishandled (leaked into logs or artifacts) if not done carefully; (2) analytics/track examples call cloud functions and include openid or stored user identifiers — this is expected for analytics but is a privacy surface you should control. None of these are unexplained, but they are sensitive and deserve careful handling.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. disable-model-invocation is false (normal). There is no attempt to modify other skills or global agent settings in the provided materials.
Assessment
This skill appears to be exactly a WeChat Mini Program developer toolkit and is coherent with its descriptions. Before installing or running it:
- Inspect scripts/analyze_subpackages.py (and any other included scripts) to confirm they only read project files and do not call unexpected remote endpoints or read system secrets.
- When you configure CI/CD, store AppID/AppSecret/private keys in your CI secret manager (GitHub Secrets) and avoid printing secrets or committing private keys. Be careful with steps that echo secrets into files—ensure those files are not uploaded as build artifacts or leaked to logs.
- Review any generated cloud function/analytics code that sends openid or other identifiers to third‑party endpoints; that is normal for analytics but has privacy implications.
- If you are uncomfortable with autonomous code execution by the agent, disable automatic invocation or review and approve any actions before they run.
Overall the package is coherent and appropriate for its domain, but standard operational hygiene around credentials and privacy should be followed.Like a lobster shell, security has layers — review code before you run it.
latestvk9739rsjaw53as5f7yyzb3fwhx84rzxf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.