1-Click WOA
v1.0.0一键发布微信公众号草稿箱文章。用户提供文章内容(Markdown),自动完成 token 获取 → 图片上传 → 草稿构建 → 发布全流程。支持微信草稿箱 API,自动处理中文编码问题,发布失败时提供 HTML fallback 方案。触发词:「发布公众号」「发草稿」「发微信公众号」。
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WeChat draft publishing) match the included scripts and docs. The code reads a local credentials.json (app_id/app_secret) and image files and calls api.weixin.qq.com endpoints — all expected for this purpose. No unrelated credentials, services, or binaries are requested.
Instruction Scope
SKILL.md and scripts confine actions to reading ~/.openclaw/agents/gzh-assistant/wechat/credentials.json, reading images from the configured image_dir, calling WeChat API endpoints, and writing an HTML fallback to the agent directory. There are no instructions to read arbitrary system files, other skills' config, or to send data to unknown third-party endpoints.
Install Mechanism
This is an instruction-only skill with bundled Python scripts and no install spec (lowest risk). Minor inconsistency: scripts use the Python 'requests' library but the skill metadata does not declare dependencies; SETUP.md mentions Python 3.8+ but not explicit pip deps. This is a usability/incoherence issue (runtime failure) rather than a direct security concern.
Credentials
No environment variables or unrelated credentials are requested. The required secrets (AppID/AppSecret) are proportional and necessary for WeChat API access and are stored in a local credentials.json per docs. The script only accesses files within the agent directory and user-specified image_dir.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide settings. It writes a fallback HTML file into its own agent directory, which is appropriate and limited in scope.
Assessment
This skill appears coherent with its purpose, but before installing: 1) only provide AppID/AppSecret if you trust the skill — these are real credentials for your WeChat account; keep them secret and rotate if exposed; 2) inspect the bundled publish.py yourself (it is small and readable) and confirm network calls are only to api.weixin.qq.com; 3) ensure your Python environment has the 'requests' package (the script assumes it) or the script will fail; 4) run scripts/test_config.py first to verify paths and files; 5) consider testing with a non-production WeChat account to confirm behavior; and 6) do not commit your credentials.json to any repository. If you need higher assurance, ask the author for a provenance/homepage or run the code in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97ep9f0gj5tevandqbfvq83ks8417g8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.