WeChat MP Multi-Publisher
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for publishing selected Markdown to WeChat, but it uses WeChat account credentials, uploads content/assets, and can optionally publish publicly.
Install this only if you want the agent to use WeChat MP credentials to create drafts or publish content. Protect the credentials file, test with --dry-run or draft-only mode, require explicit approval before public publishing or cron automation, and consider pinning/reviewing the npm dependency.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill with these credentials can create drafts and, with the publish option, potentially publish through the connected WeChat account.
The script reads WeChat app credentials from environment variables or a local credentials file to authenticate to the WeChat MP account.
const appId = process.env.WECHAT_APP_ID; const appSecret = process.env.WECHAT_APP_SECRET; ... fs.readFileSync(CREDENTIALS_PATH, "utf-8")
Use dedicated WeChat MP credentials where possible, restrict file permissions on the credentials file, and only provide credentials on systems where you trust the agent and script.
Accidental or overly broad use of these flags could publish content publicly instead of only creating a draft.
The CLI exposes options that can move beyond draft creation and publish content to the WeChat account.
--publish Also trigger freepublish after draft creation --media-id=xxx Publish an existing draft by media_id
Use dry-run or draft-only mode first, and require explicit user confirmation before using --publish or --media-id.
Private or unintended local images referenced by the Markdown could be uploaded to WeChat if included in the article.
Selected local article images are uploaded to WeChat as part of the publishing workflow.
**Inline images** — local PNG/JPG auto-uploaded to WeChat CDN
Review Markdown image references before publishing and avoid including private local files unless they are intended for WeChat.
The exact dependency version installed may vary over time, so users rely on the current npm package state.
The required npm dependency is installed without a pinned version or lockfile in the provided artifacts.
npm install @wenyan-md/core
Pin the dependency version, review the package source, and install in a controlled project environment.
If the user installs this cron job, the script can continue creating WeChat drafts on a schedule without further prompts.
The setup guide includes a cron example for recurring automated draft pushes.
0 22 * * * cd /your/project && node publish.mjs articles/deep.md articles/news.md >> /var/log/wechat-push.log 2>&1
Only add scheduled jobs intentionally, keep them draft-only unless public publishing is intended, and periodically review or remove the cron entry.