微信公众号写作发布助手
ReviewAudited by ClawScan on May 9, 2026.
Overview
The skill coherently supports WeChat article writing and draft-box upload, but it uses WeChat account credentials and local/generated files, so users should configure and run it carefully.
Install only if you want a local WeChat article workbench. Keep DRY_RUN=1 while testing, review generated JSON and image paths before uploading, protect the .env file containing WeChat credentials, and remember that the tool creates WeChat draft-box entries but does not directly publish articles.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with real credentials, the workbench can act on the user's WeChat Official Account to create draft-box entries.
Real draft upload requires WeChat Official Account credentials. This is expected for the stated WeChat draft-box uploader, but these credentials give access to the user's account API.
WECHAT_APPID=\nWECHAT_APPSECRET=\nWECHAT_AUTHOR=
Use a dedicated WeChat app configuration where possible, keep the .env file private, and leave DRY_RUN=1 until you have reviewed the generated article and images.
Running the draft command with DRY_RUN disabled can create multiple draft-box items in the connected WeChat account.
The documented draft command can process all generated article JSON files and create real WeChat drafts when DRY_RUN is set to 0. This is disclosed and central to the skill, but it is still a third-party account mutation.
npm run draft -- --all\n\n如果 `DRY_RUN=1`,脚本只会模拟执行...不会真实创建草稿。
Validate the generated JSON first, review the files selected by --all, and only set DRY_RUN=0 when you intentionally want real draft creation.
Incorrect or untrusted generated JSON could cause the uploader to attempt to upload the wrong local image file.
The uploader uses paths from generated article JSON to select local cover and inline image files for upload. This is expected for image upload, but users should ensure those paths only point to intended project images.
const mediaId = await uploadPermanentImage(accessToken, resolvedCoverPath); ... const uploadedUrl = await uploadArticleImage(accessToken, image.path);
Keep coverImagePath and inlineImages paths under scripts/wechat-article-workbench/data/images/ and review generated JSON before running the draft command.
Installing dependencies runs a local Node.js toolchain and relies on the integrity of the listed packages.
The workbench installs third-party Node.js packages to extract web content, load .env configuration, and process images. This is purpose-aligned, and a package-lock is included, but npm installation still introduces dependency trust.
"dependencies": { "@mozilla/readability": "^0.6.0", "cheerio": "1.0.0", "dotenv": "^17.2.3", "jsdom": "24.1.3", "sharp": "^0.33.5" }Run npm install from the bundled workbench directory only, keep the lockfile, and review dependency changes before updating.
Article drafts, source materials, generated images, and configuration may remain on disk after use.
The skill persists sources, generated article JSON, images, state, and credentials-related configuration locally. The documentation discloses this and warns not to publish these files.
`.env`、`node_modules/`、`data/` 和日志文件都在 `.gitignore` 中...不要包含真实 `.env`。
Avoid putting confidential material into drafts unless intended, and keep the data directory and .env file out of shared repositories or public packages.
Article titles, summaries, images, and draft content may be sent to image-generation tooling and the WeChat API during the publishing workflow.
The skill may hand article context to an image-generation tool and upload generated content/images to WeChat. These external/tool interactions are disclosed and fit the purpose.
使用 `imagegen` skill/tool...并通过内置 `wechat-article-workbench` 上传到微信公众号平台草稿箱。
Do not include sensitive unpublished information unless you are comfortable sending it through the configured image-generation and WeChat upload paths.