Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
微信小程序 CI 工具
v1.0.1微信小程序 CI 工具技能。支持构建、预览、云函数、云存储等全部 miniprogram-ci 能力。使用 Node.js 开发,跨平台,可配置。
⭐ 0· 44·0 current·0 all-time
bySuper 9°@super9du
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (wx miniprogram CI using miniprogram-ci) align with the provided script and config example: the code implements commands for init, config, preview, upload, build-npm, upload-function, upload-storage and interacts with project files and a private key path as expected.
Instruction Scope
SKILL.md instructs running the included Node script from the skill's scripts directory and describes persisting configuration to ~/.wxmini-ci.config.js. That behavior is expected for a CLI tool, but the skill also ships test scripts that perform file operations on the user's home config (see tests/run-tests.js) which could overwrite a user's existing ~/.wxmini-ci.config.js if run.
Install Mechanism
No install spec; this is instruction + script files only. No external download URLs or installers are present in the provided files, which reduces install-time risk. The script may invoke npm or miniprogram-ci at runtime (not executed by the platform during install).
Credentials
The tool legitimately needs project paths and private key file paths for WeChat operations. However, it persists configuration to the user's home (~/.wxmini-ci.config.js) and the tests intentionally copy a test config over the real config file (tests/run-tests.js) in a way that will overwrite an existing real config without backing it up first—this is disproportionate risk for a skill and could inadvertently clobber user data. The script also reads filesystem paths (including private key files) which is expected but sensitive; no explicit environment variables or cloud credentials are requested by the skill itself.
Persistence & Privilege
The skill writes a persistent config file in the user's home directory and can persist per-project settings. It does not request 'always: true' or other elevated platform privileges. Persisting config to the user's home is reasonable for a CLI tool, but users should be aware of the persistent file location and that tests/scripts can modify it.
What to consider before installing
This skill appears to implement a legitimate miniProgram CI wrapper, but take precautions before running anything: 1) Inspect scripts/wx-miniprogram-ci.js to confirm whether it will run npm installs or external commands automatically and where it writes files. 2) Back up any existing ~/.wxmini-ci.config.js before running the skill or tests — the provided tests (tests/run-tests.js) copy a test config to your real config path and may overwrite it without preserving the original. 3) Keep your WeChat private key files safe: the tool accepts privateKeyPath and reads that file; only point it at keys you intend to use. 4) Run the tool in an isolated environment or sandbox (or with a temporary home) if you want to verify behavior first. If you need higher confidence, ask the skill author for a clear statement of whether the script automatically installs packages (and for safer test behavior that does not overwrite user config).scripts/wx-miniprogram-ci.js:466
Shell command execution detected (child_process).
tests/run-tests.js:61
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
civk972s9v0yt9hb47n6bem73bta184q0g2latestvk972s9v0yt9hb47n6bem73bta184q0g2miniprogramvk972s9v0yt9hb47n6bem73bta184q0g2weixinvk972s9v0yt9hb47n6bem73bta184q0g2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.