Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Quick Setup
v1.0.0微信小程序快速启动模板。一键创建云函数、配置后端、生成代码。10分钟搭建完整微信小程序。
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: init.js generates a project scaffold and generate-function.js / generate-page.js produce cloud functions and pages for a WeChat mini program. The templates reference wx-server-sdk and Tencent Cloud features which are coherent with the stated Tencent-cloud backend.
Instruction Scope
SKILL.md instructs running several node scripts from ~/.openclaw/skills/wechat-quick-setup and editing ~/.openclaw/skills/wechat-quick-setup/config.json. However, SKILL.md references setup-cloud.js (node .../setup-cloud.js) which is not present in the package. The documented config.json is not read by the included scripts (no code in the bundle reads that file), so the runtime instructions are partially inconsistent/broken. The templates include a payment cloudFunction that would require payment credentials when deployed, but the skill does not document or request those credentials.
Install Mechanism
This is an instruction-only skill with included Node.js generator scripts; there is no install spec, no remote downloads, and nothing writes to system-wide locations. The risk is typical for local scaffolding code: running the scripts will create files in the current working directory (expected behavior).
Credentials
The skill declares no required environment variables or credentials. That is consistent with local scaffolding. One caveat: some generated templates (payment / cloudPay) will require Tencent/WeChat payment credentials when deployed — those are not requested by the skill and are external to the scaffolding step. No evidence the skill attempts to read or exfiltrate host credentials.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not ask to persistently modify other skills or global agent settings. Its scripts create project files only under the target project directory.
What to consider before installing
This package appears to be a local scaffolding tool for WeChat mini programs, but there are some inconsistencies and missing pieces. Before running anything: 1) Inspect the included scripts (init.js, generate-function.js, generate-page.js) yourself — they simply write files but you should review the exact contents. 2) Note SKILL.md references setup-cloud.js which is NOT bundled; expect that some setup steps may be manual or missing. 3) Run the scripts in a disposable/test directory (not your home or a production repo). 4) The payment/cloudPay templates will require Tencent/WeChat payment credentials only when you deploy — do not paste secrets into files created by the scaffolder without understanding where they will be stored. 5) If you plan to pay or contact the Pro-channel, verify the vendor independently (contact channels listed in SKILL.md may be unverified). If you want a fully trustworthy package, request the missing setup script or a provenance/source URL from the publisher before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978ev2p8x3dx7fszy836pe00s83h6wbminiprogramvk978ev2p8x3dx7fszy836pe00s83h6wbwechatvk978ev2p8x3dx7fszy836pe00s83h6wb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.