Wechat AutoPublish
v1.0.1自动化微信公众号文章发布,通过 API 创建和管理文章草稿,支持封面图和正文图片自动上传。用于:发布文章到公众号、创建内容草稿、自动化内容工作流、或设置定时发布系统。
⭐ 2· 555·1 current·1 all-time
byZhengy Li@zlr25
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, and the included Python/Node scripts consistently implement a WeChat publisher: obtaining access tokens, uploading cover/body images, replacing local image src, and creating drafts. The skill uses a local config.json to hold AppID/AppSecret rather than environment variables; this is coherent with the documented usage.
Instruction Scope
Runtime instructions and scripts only interact with files referenced by the user (config.json, .tokens cache, local image files) and with the configured apiBaseUrl (defaulting to api.weixin.qq.com). They do not phone home to hidden endpoints. Caution: the scripts will open and POST any local file whose path ends with an allowed image extension (e.g., .jpg/.png). If a non-image sensitive file is renamed to have an image extension, it could be uploaded. The Node script also searches parent paths for config.json, expanding its file-read scope slightly.
Install Mechanism
This is an instruction-only skill with included source files; there is no external install/download step. Dependencies are standard (httpx for Python; axios and form-data for Node) and are proportional to the stated functionality.
Credentials
No environment variables or platform credentials are requested by the skill; secrets are stored in a local config.json (AppID/AppSecret). That is a reasonable design choice but requires user caution: putting AppSecret in a file is normal but should be protected (gitignored, file-permissions restricted). The config allows overriding apiBaseUrl; if misconfigured (or maliciously edited) it could direct tokens and uploads to a non-WeChat endpoint.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It caches Access Token to a local .tokens/token_cache.json (configurable path), which is normal for this use-case; ensure that directory is secure.
Assessment
This skill is internally coherent for publishing to WeChat, but take these practical precautions before running: 1) Store your AppID/AppSecret in config.json and add that file to .gitignore; restrict its filesystem permissions. 2) Verify apiBaseUrl in config.json remains the official https://api.weixin.qq.com unless you intentionally test against another host — otherwise tokens and uploads could be sent to an attacker-controlled endpoint. 3) Only allow image files from trusted directories; the scripts decide upload eligibility by file extension, not by inspecting file contents, so a sensitive file renamed to e.g. .jpg could be uploaded. 4) Protect the .tokens cache directory (set restrictive permissions) or change its location if needed. 5) Review the included scripts (publish_article.py / .js) in a safe environment and, if possible, run the first tests with a throwaway test account. If you need higher assurance, run the scripts in an isolated container and audit network traffic to confirm connections go only to WeChat endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk978hd26ny8bqjpx71j05n5j8d81kpsd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.