Zhy Wechat Publish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: zhy-wechat-publish Version: 0.1.0 The skill bundle facilitates publishing articles to WeChat and handles sensitive credentials (WECHAT_APP_SECRET). It contains high-risk behaviors including executing sub-processes via spawnSync in 'publish_with_cover.js', programmatically modifying local .env files in 'upload_image.js', and fetching arbitrary remote URLs in 'wechat_draft.js' to process images. While these actions are aligned with the stated purpose of article management, the combination of credential access, local file modification, and potential Server-Side Request Forgery (SSRF) risks makes it suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run from a project with other secrets in .env, the skill may gain access to more credentials than are needed for WeChat draft publishing.
The loader imports every variable from several .env locations, not just WECHAT_* or declared image-provider keys. This can pull unrelated project secrets into the skill process and its child processes.
const candidates = [path.resolve(skillDir, '.env'), path.resolve(process.cwd(), '.env'), path.resolve(skillDir, '..', '..', '..', '.env')]; ... process.env[key] = value;
Use a skill-local .env with only the required WeChat/image variables, declare required credentials in metadata, and restrict the loader to an allowlist of expected keys.
Using automatic cover generation may execute unreviewed local code with access to the skill's environment variables.
The automatic cover path runs a sibling helper script that is not included in the reviewed file manifest, creating a provenance gap for code that receives article-derived prompts and the inherited environment.
return path.resolve(__dirname, '..', '..', 'zhy-article-illustrator', 'scripts', 'image-gen.ts'); ... runCommand('bun', [imageGenScript, '--prompt', prompt, '--output', coverPath, '--ar', aspectRatio], ...)Review or include/pin the zhy-article-illustrator helper, and pass a minimal environment to child processes instead of the full process.env.
A mistaken invocation could create unwanted drafts or upload images to the account's material library, though the README says it does not final-publish articles.
The script uses the WeChat API to create official-account drafts, which is the stated purpose but still changes account state.
const url = `https://api.weixin.qq.com/cgi-bin/draft/add?access_token=${token}`;Confirm the target account, title, HTML file, and images before running, and review the draft in WeChat before publishing.
Running the automatic workflow executes local Node/Bun scripts on your machine.
The skill executes local commands for its documented workflow. shell:false reduces shell-injection risk, but it is still local code execution.
const result = spawnSync(command, args, { cwd: options.cwd || process.cwd(), encoding: 'utf8', env: options.env || process.env, shell: false });Run this only from a trusted installation and avoid using the automatic cover path unless you also trust the referenced helper script.