Skillv1.1.0

ClawScan security

wechat-publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 2:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the stated WeChat publishing workflow, but there are mismatches between what it claims and what it declares (notably missing declared credentials) and a few behavioral claims in docs (automatic IP retrieval) that aren't clearly implemented in code.
Guidance: This skill is coherent with a WeChat publisher: it uses Playwright to render covers and calls the official WeChat API to upload images and save drafts. Before installing or using it: - Expect to provide WeChat AppID/AppSecret. The package will read them from a .env file or from references/*.json; the registry metadata did NOT list those env vars — verify you supply credentials only in local files or environment variables and do not upload them to public repos. - The code will create and modify local config files (e.g., multi_account_config.json) and write articles, covers, and logs under the specified base_dir. Review paths and ensure sensitive files are gitignored as recommended. - The docs claim the agent will "automatically obtain your current IP" on IP-white-list errors; I did not find a clear implementation for automatic IP lookup in the scripts (you may be asked to run curl/visit ip.cn manually). Test the behavior in a safe environment first. - Playwright and requests must be installed locally; run tests with dummy config/template before using real AppSecret. Keep AppSecret private and rotate it after testing if it was exposed. If you want this skill to be less risky: run it in an isolated environment, provide credentials via environment variables (not committed to disk), inspect the code yourself or run the included tests, and confirm the platform won’t upload your config files. If you need, provide the maintainer with feedback asking them to declare required env vars in registry metadata and to add an explicit IP-discovery function (or clarify the behavior) in code.

Review Dimensions

Purpose & Capability: noteThe name/description match the code and docs: scripts perform account switching, article/covers generation (templates + Playwright), uploading to WeChat, and logging. Requiring AppID/AppSecret and Playwright is expected for this purpose. However the registry metadata claims no required env vars / primary credential while the package clearly expects AppID/AppSecret (via .env or references/*.json) — this is an inconsistency to be aware of.
Instruction Scope: noteSKILL.md limits actions (explicit confirmation required at each step) and restricts operations to local files + WeChat API. That scope is appropriate. One claim in the docs/SKILL.md — that the agent will "自动获取用户当前IP地址" on IP-white-list errors — is not implemented as a distinct function in the scripts (no code that queries an external IP service). The rest of runtime steps (load config, render templates with Playwright, upload to WeChat API, write logs) are consistent with the stated purpose.
Install Mechanism: okNo install spec is provided (instruction-only install). The package includes requirements.txt listing requests, playwright, python-dotenv and documentation telling users to install Playwright; this is proportionate. No downloads from untrusted URLs or extractable archives are present.
Credentials: concernThe package needs sensitive credentials (WeChat AppID/AppSecret) and supports environment variables (.env / WECHAT_APP_ID_1 etc.) and config files (references/my_accounts.json, multi_account_config.json). Yet the registry metadata declares no required environment variables or primary credential — that's a mismatch. The code will read local .env and local config files and may write to multi_account_config.json (switch_account.py), so credentials will exist on disk unless you use environment variables. This request for secrets is proportionate to the feature, but the lack of declared credentials in the registry metadata and the multiple locations where the skill reads/writes credentials/configs are worth flagging.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not request any platform-level persistent privileges. It writes to its own project directories (config, articles, logs) which is expected for a publisher tool. It modifies local config files (e.g., multi_account_config.json) to switch accounts — expected behavior, not an escalation of privilege.