Mp Publisher

What to consider before installing: - The skill requires two secrets (WECHAT_APP_ID & WECHAT_APP_SECRET) and a DMX API key — those are necessary for its claimed WeChat publishing and image-generation functionality. Do not provide those credentials unless you trust the code and the DMX provider. - The registry metadata did not declare required env vars, but the SKILL.md and code do; this discrepancy is a red flag about packaging hygiene. Inspect SKILL.md, package.json, and the code yourself (they are included) before running any setup script. - setup.sh will create directories and .env templates under ~/.openclaw and copy Python scripts there; it also attempts to pip-install packages (requests, wechatpy). Run the script in a controlled environment (or review/edit it) rather than executing blindly. - Verify the DMX_BASE_URL and DMX provider (default https://www.dmxapi.cn) are intended; if you prefer a different image service, change the code or envs. - Recommended precautions: review the Python files (draft_publisher.py, image_generator.py, workflow-monitor.py) to ensure no secrets are being logged or sent to unexpected endpoints; run first in a sandbox or VM; supply least-privileged credentials; add the host IP to WeChat whitelist only after validating behavior. Why 'suspicious' not 'malicious': The code implements exactly what the skill advertises and uses appropriate APIs, but the packaging/metadata inconsistency and the fact that setup writes to the home directory and installs packages without a registry-declared install spec are concerning enough to require human review before use. Additional information that would raise confidence: amended registry metadata listing required env vars, a trusted upstream repository URL and release artifacts, or a signed/verified package release.