热点追踪,写作画像自定义,创作发布一体化自媒体内容创作助手
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent content-creation skill, but it can use Tencent Docs and WeChat account integrations to create external documents or drafts without a clearly declared credential contract or final approval gate.
Install only if you want this skill to interact with Tencent Docs and WeChat publishing workflows. Configure your own credentials, require a final review before any document or draft is created, and review/pin any optional MCP helper before installing it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the integrations are connected, the agent could upload generated content or cover images and create external documents/drafts under the user's accounts.
The skill instructs the agent to call external tools/APIs that create Tencent Docs content and WeChat public-account drafts. The workflow does not clearly require a final approval step before those account mutations.
发布同步 ... MCP调用方法(必须) ... create_word_by_markdown ... 上传封面到微信获取media_id ... 创建草稿
Require an explicit confirmation before any Tencent Docs or WeChat write, show the target account/title/content, and distinguish clearly between draft creation and public publishing.
Users may not realize the skill can rely on configured Tencent Docs or WeChat account access to perform writes in third-party services.
The skill expects account-level credentials and a configured local MCP token, but the registry metadata declares no primary credential, env vars, or required config paths. This under-declares the privilege boundary.
公众号 API (AppID) | 需用户自行配置 ... 腾讯文档 MCP | ✅ Token已配置 ... IP白名单 | ✅ 180.165.18.247 ... 配置文件 `/Users/sue/.openclaw/workspace/config/mcporter.json`
Declare required credentials/config paths in metadata, require users to configure their own tokens, and document the exact permissions and accounts the skill will use.
Installing the optional helper could execute code that was not included in this skill review.
The optional WeChat-reading helper is installed from an external GitHub repository and pip requirements without a pinned commit or included code for review. It is user-directed and related to the stated purpose, so this is a supply-chain note rather than a standalone concern.
git clone https://github.com/Bwkyd/wexin-read-mcp.git; cd wexin-read-mcp && pip install -r requirements.txt ... "command": "python"
Review the repository before installing, pin a trusted commit/version, use a virtual environment, and avoid giving the helper broader credentials than necessary.
Old or manipulated writing profiles could affect future generated articles or publishing format decisions.
The skill stores and reuses writing-profile context. This is purpose-aligned and includes user confirmation, but persistent profile data can influence future outputs if inaccurate or poisoned.
检查已有画像,展示供用户选择 ... 如需新建,分析参考素材提取画像 ... 与用户确认画像后保存
Review saved profile JSON files periodically and only store intended style preferences, not hidden instructions or sensitive personal information.
Published content could appear more personally authentic than it really is if generated anecdotes are not factual.
The skill encourages reducing AI-like phrasing and adding personal experiences or real cases. This may be acceptable for editing, but could mislead readers if the experiences are invented rather than user-provided or verified.
AI味去除 ... 增加个人体验 ... 个人经历:是否有真实案例/故事(建议每600字1个)
Only include personal experiences, claims, and case studies that the user supplies or verifies, and disclose AI assistance where appropriate.