Back to skill
Skillv1.0.0
ClawScan security
wechat mp draft · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (upload image, get token, save a WeChat MP draft); required credentials are local config values and network calls target the official WeChat API.
- Guidance
- This skill appears coherent and implements exactly what it claims: it needs your WeChat AppID and AppSecret (put into a local config.sh as instructed), the server IP must be added to the WeChat IP whitelist, and you must have basic tools (curl, jq, file). Before using: (1) keep config.sh private and add it to .gitignore, (2) review the scripts yourself and run them in a safe environment, (3) ensure you trust the source before supplying real credentials, and (4) install jq if missing. The only minor inconsistency is that the registry metadata didn't declare required credentials — the skill expects them in a local config file instead of environment variables.
Review Dimensions
- Purpose & Capability
- okName/description (save article to WeChat public account draft) align with included scripts and docs. The scripts only call official api.weixin.qq.com endpoints and require the expected AppID/AppSecret and an IP whitelist.
- Instruction Scope
- okSKILL.md and scripts stay within the advertised scope: get access token, upload image (permanent material), and call the draft add API. They reference a config.sh for credentials and check for required local tools (curl, jq, file). No unrelated files, endpoints, or broad data-collection steps are present.
- Install Mechanism
- okNo install spec and no remote downloads. The skill is instruction-only plus local shell scripts — low installation risk. Running scripts writes nothing beyond standard temporary data and makes network calls only to WeChat endpoints.
- Credentials
- noteThe manifest lists no required env vars, but the SKILL.md and scripts require AppID/AppSecret provided via a local config.sh; this is proportionate to the task. Note: credentials are expected to be stored in a local file (config.sh) rather than declared environment variables in the registry metadata.
- Persistence & Privilege
- okSkill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs as invoked and requires the user to run the supplied scripts.