WeChat Moments Post
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says, but it can automatically publish to a logged-in WeChat account and leaves local screenshots, so it needs careful review before use.
Only use this skill when you have deliberately chosen the WeChat account, image, and caption to publish. Prefer adding a manual confirmation before the final Publish click, keep other sensitive windows closed, delete the temporary screenshots afterward, and install any Python dependencies from trusted, pinned sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill is invoked with the wrong image, caption, or WeChat account active, it can publish a Moments post visible to the user's social audience.
The script pastes the caption and then clicks the OCR-detected Publish button directly, with no explicit final confirmation or preview gate before posting.
pyautogui.hotkey("ctrl", "v") ... if "发表" in txt: ... pyautogui.click(x, y)Add an explicit final confirmation step that shows the target account, image path, and caption before clicking Publish; consider a dry-run mode and require user approval for the final click.
Any successful post is made as the currently logged-in WeChat user; there is no separate least-privilege token or account scoping shown.
The skill relies on the already logged-in WeChat desktop session and therefore acts with that account's full posting authority.
依赖已登录微信;若被踢下线需人工扫码登录。
Use only with the intended WeChat account logged in, verify the caption and image before running, and log out or close WeChat when not using the automation.
Private WeChat content or other on-screen data may remain in the temporary screenshot directory after the automation finishes.
The script stores screenshots for OCR/debugging, including a full-screen screenshot after the publish attempt; these local files may contain the caption, WeChat content, or other visible desktop information.
ImageGrab.grab(bbox=(w.left, w.top, w.left + w.width, w.top + w.height)).save(str(crop_path)) ... ImageGrab.grab().save(str(TMP_DIR / "after_publish_attempt.png"))
Set WECHAT_MOMENTS_TMP to a known private folder, delete screenshots after use, and avoid running while unrelated sensitive windows are visible.
A user may need to install dependencies separately and must trust whatever package versions are obtained outside this artifact set.
The supplied package contains Python automation scripts but no pinned dependency or installation specification, while the code imports external GUI/OCR packages.
No install spec — this is an instruction-only skill.
Provide a pinned dependency file or install spec, declare required environment variables and Windows-only operation in metadata, and install dependencies only from trusted sources.