Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeChat Mini Program Builder
v1.0.0AI-assisted tool to quickly build WeChat Mini Programs with templates, auto-generated code, cloud functions, and deployment support.
⭐ 1· 175·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an npm-based CLI (miniprogram-cli / mp-builder) and gives Node-centric usage, but the bundle includes a Python tool (mp_builder.py) that implements the described features. The Python code requires an OPENCLAW_API_KEY environment variable (and imports an OpenClaw client) even though the skill metadata lists no required env vars or primary credential. These mismatches are disproportionate to the stated purpose and unclear to a user.
Instruction Scope
SKILL.md instructs installing a Node CLI and running mp-builder commands; it does not mention setting an API key or contacting any external LLM/service. The Python code, however, sends prompts to an external OpenClaw chat API to generate page code and will fail or raise an exception if OPENCLAW_API_KEY is not set. The code also writes generated content and cloudfunction templates to disk (pages/, cloudfunctions/). The instructions therefore omit that the tool will call an external model and require credentials.
Install Mechanism
There is no declared install spec (instruction-only), but SKILL.md suggests installing a global npm package. The included implementation is Python and imports an 'openclaw' package without declaring how to install it. This mismatch creates uncertainty about what actually needs to be installed and from where — increasing risk because dependencies and provenance are unclear.
Credentials
The Python code requires a sensitive environment variable OPENCLAW_API_KEY and will abort if it's missing, yet the skill metadata declares no required env vars and SKILL.md does not instruct users to provide this key. Requiring an API key for an external model is plausible for AI code generation, but the omission in metadata and docs is a red flag: users could accidentally supply a general/privileged key without understanding why. No other credentials are requested, but this single undeclared secret request is disproportionate and undocumented.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not modify other skills or system-wide settings. It writes project files to the current directory (normal for a project generator) but requests no elevated/system-level privileges.
What to consider before installing
This skill shows multiple inconsistencies: the user-facing instructions talk about a Node CLI, but the included code is a Python script that will call an external OpenClaw API and requires an OPENCLAW_API_KEY that is not documented. Before installing or running: 1) Ask the publisher for the canonical source/repo and clarification (is the tool Node or Python?). 2) Do not supply any API keys until you confirm why they are needed and whether the key will be limited/scoped. 3) Inspect the code locally (mp_builder.py) or run it in an isolated environment (VM/container) to observe network calls; verify the 'openclaw' client origin. 4) Prefer installing only from a trusted registry or the project's official repo; avoid running unknown global npm packages. If you need this functionality, request an updated SKILL.md that documents required credentials, dependency installation steps, and the exact remote endpoints used.Like a lobster shell, security has layers — review code before you run it.
latestvk974yh3fd2dtcyqgzjghmxcg61832tnf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.