阿淼发公众号
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is aligned with WeChat publishing, but it asks for account-level credentials/browser access while the actual publishing runtime is missing or stubbed, so users should review it carefully before use.
Use this only if you trust the maintainer and can review the actual runtime that performs WeChat publishing. Start with a test account, keep AppSecret values out of shared EXTEND.md files, leave confirmation enabled, avoid Turbo or auto-submit until you are comfortable, and check the token cache and publish log locations for sensitive data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be asked to trust or obtain functionality that was not part of this security review, even though that functionality would handle a WeChat account and publishing actions.
The reviewed script advertised for WeChat API publishing does not implement the runtime; any real code that handles credentials, uploads, or publishing is not included in the artifacts.
console.error("This script requires the full amiao-post-to-wechat runtime.");
console.error("See: https://clawhub.ai/skills/amiao-post-to-wechat");
process.exit(1);Do not provide production credentials or run any replacement runtime unless its source, install method, and implementation are available for review.
If mishandled, these credentials could allow unwanted access to the user's WeChat Official Account publishing capabilities.
The skill expects WeChat Official Account secrets and supports account-level credential configuration, but the registry metadata declares no primary credential or required environment variables and the runtime that uses these secrets is absent.
WECHAT_MAIN_ACCOUNT_APP_ID=your_app_id WECHAT_MAIN_ACCOUNT_APP_SECRET=your_app_secret # Single-account fallback WECHAT_APP_ID=your_app_id WECHAT_APP_SECRET=your_app_secret Do not store `app_secret` directly in EXTEND.md if that file may be shared or committed.
Use a test or least-privilege account first, keep secrets in environment variables rather than shared config files, rotate secrets if exposed, and only use a reviewed runtime.
Using Turbo mode or similar auto-submit flows can post or submit content before a human performs a final review.
The skill documents an opt-in path that can proceed to publishing without the normal pre-publish confirmation.
Turbo Mode ... Skips: deep humanization pass, pre-publish confirmation (auto-proceed) ... Still runs: metadata resolution, packaging check ... publish, log
Keep confirmation enabled for normal use, avoid Turbo/auto-submit on sensitive accounts, and manually review drafts before publication.
Previous article metadata or publishing history may be retained locally and influence later recommendations.
The workflow persists publish logs and uses accumulated history for later auto-tune suggestions.
ACTION: write_publish_log (append to amiao/.publish-log.yaml)
→ ACTION: check_auto_tune_trigger (every 10th cycle)
→ trigger reached
→ ACTION: compute_auto_tune_suggestionsReview what is stored in amiao/.publish-log.yaml, avoid logging sensitive drafts, and clear the log if you do not want past publishing history reused.