wechat-publish-pro

The skill contains a shell injection vulnerability in `scripts/publish.sh` where the `eval` command is used on variables ($file, $title, $cover) that are not sufficiently sanitized, potentially allowing arbitrary command execution if filenames or titles are maliciously crafted. Additionally, `src/wechat_publish_pro/converter/__init__.py` includes logic to send article content to a third-party service (api.mdnice.com) for conversion, which may pose a privacy risk. While these appear to be design flaws or functional choices rather than intentional malware, they represent a high-risk attack surface.