Wechat Mp Auto
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a disclosed WeChat public-account article automation workflow, but it uses WeChat credentials, external services, local caches, and can create WeChat media/drafts.
Install this only if you intend to connect a WeChat public account. Use a test or restricted account first, protect the AppSecret and API keys, review generated articles and images before public posting, and clear the local cache if drafts or topics are sensitive.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with these credentials could act through the connected WeChat public account within the credential's API permissions.
The skill requires delegated WeChat public-account credentials to operate. This is expected for uploading media and creating drafts, but those credentials grant meaningful account authority.
微信公众号凭证(二选一):1. `~/.config/wechat-mp-auto/config.json` 中配置 `app_id` 和 `app_secret` ... 或在 `~/.openclaw/.env` 中配置环境变量 `WECHAT_APP_ID` 和 `WECHAT_APP_SECRET`
Use credentials only for the intended public account, keep them out of shared files, restrict the account/IP whitelist where possible, and rotate secrets if exposed.
Invoking the skill may create media items and draft articles in the connected WeChat account without a separate manual step described in the workflow.
The agent is instructed to orchestrate a multi-step workflow that can upload images and create WeChat drafts. This matches the skill's purpose, but it is account-mutating automation.
AI 读取本 SKILL.md 后自行决定调用哪些工具、完成全部流程 ... 第八步:推送草稿 ... 调用 create_draft
Run it only when you intend to create drafts, review all generated text/images before public posting, and prefer a test account for first use.
Draft topics, article text, or search-related data may remain on disk and be visible to other local users or future runs.
The skill persists article history and search results locally for duplicate detection and caching. This is disclosed and useful, but it retains content across runs.
存储:自动保存到 `~/.cache/wechat-mp-auto/article_history.json` ... 缓存:搜索结果缓存到 `~/.cache/wechat-mp-auto/search_cache.json`
Avoid using sensitive unpublished content on shared machines, and delete `~/.cache/wechat-mp-auto` when retention is not desired.
Article topics, prompts, and uploaded media may be processed by third-party services according to their policies.
The workflow sends topics, image queries/prompts, and selected files to external providers and WeChat APIs. These provider calls are disclosed and purpose-aligned.
research_topic ... 内部级联:Tavily → DuckDuckGo → 百度 ... search_image ... 通过 Pexels/Unsplash 图库搜索并下载图片 ... upload_image ... 上传至微信素材库
Do not submit confidential topics or images unless you trust the configured providers and understand their data handling terms.
Future dependency versions could differ from those the author tested.
The README instructs manual installation of Python dependencies, and the dependency versions are range-based rather than exactly pinned. This is common and not suspicious by itself.
requests>=2.28.0 PyYAML>=6.0 Pillow>=9.0.0 urllib3>=1.26.0
Install from trusted package indexes, consider pinning versions in a lockfile for production use, and review updates before running with account credentials.