公众号自动发布

The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts.sh`. The `upload_wechat_image` function directly embeds the user-controlled `image_path` parameter into a `curl` command (`-F "media=@${image_path}"`), allowing an attacker to execute arbitrary commands by crafting a malicious `cover_image_path`. Additionally, the `SKILL.md` instructs the agent to download a default cover image from `DEFAULT_COVER_URL` if provided, which could lead to SSRF/LFI if the agent's download mechanism lacks URL validation.