微信小程序 CI 工具

If the test script is run, the user’s saved CI configuration can be erased and may need to be recreated.

The test runner replaces the real ~/.wxmini-ci.config.js with an empty test config and later copies the same empty test config back, despite comments claiming it restores the real config.

Running init may install or change a global npm package on the machine.

The init flow installs miniprogram-ci globally from npm without a pinned version. This is related to the skill’s purpose, but it changes the user’s global Node environment and depends on the npm package supply chain.

Whoever can run the configured commands with the private key can perform CI actions against the configured Mini Program.

The skill uses a WeChat Mini Program app ID and private-key file path to authenticate CI actions. This is expected for miniprogram-ci, but it grants authority to preview/upload code and operate on cloud resources.

A mistaken command can publish the wrong code or cloud assets to the user’s WeChat Mini Program environment.

The skill exposes commands that can upload application code, cloud functions, and cloud storage content. These operations are central to the stated CI purpose, but they are high-impact account mutations.

Using a config file from an untrusted source could run code on the user’s machine.

The tool loads configuration as a JavaScript module, so a config file can execute code when loaded. This is a common Node.js config pattern and appears documented, but users should only use trusted config files.