Skillv1.0.1

ClawScan security

Wechat AutoPublish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 11:55 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource needs match its stated purpose (automating WeChat article uploads) and do not request unrelated credentials or network endpoints, though you should secure the local config and token cache and be cautious about configurable API endpoints and uploaded file content.
Guidance: This skill is internally coherent for publishing to WeChat, but take these practical precautions before running: 1) Store your AppID/AppSecret in config.json and add that file to .gitignore; restrict its filesystem permissions. 2) Verify apiBaseUrl in config.json remains the official https://api.weixin.qq.com unless you intentionally test against another host — otherwise tokens and uploads could be sent to an attacker-controlled endpoint. 3) Only allow image files from trusted directories; the scripts decide upload eligibility by file extension, not by inspecting file contents, so a sensitive file renamed to e.g. .jpg could be uploaded. 4) Protect the .tokens cache directory (set restrictive permissions) or change its location if needed. 5) Review the included scripts (publish_article.py / .js) in a safe environment and, if possible, run the first tests with a throwaway test account. If you need higher assurance, run the scripts in an isolated container and audit network traffic to confirm connections go only to WeChat endpoints.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, and the included Python/Node scripts consistently implement a WeChat publisher: obtaining access tokens, uploading cover/body images, replacing local image src, and creating drafts. The skill uses a local config.json to hold AppID/AppSecret rather than environment variables; this is coherent with the documented usage.
Instruction Scope: noteRuntime instructions and scripts only interact with files referenced by the user (config.json, .tokens cache, local image files) and with the configured apiBaseUrl (defaulting to api.weixin.qq.com). They do not phone home to hidden endpoints. Caution: the scripts will open and POST any local file whose path ends with an allowed image extension (e.g., .jpg/.png). If a non-image sensitive file is renamed to have an image extension, it could be uploaded. The Node script also searches parent paths for config.json, expanding its file-read scope slightly.
Install Mechanism: okThis is an instruction-only skill with included source files; there is no external install/download step. Dependencies are standard (httpx for Python; axios and form-data for Node) and are proportional to the stated functionality.
Credentials: noteNo environment variables or platform credentials are requested by the skill; secrets are stored in a local config.json (AppID/AppSecret). That is a reasonable design choice but requires user caution: putting AppSecret in a file is normal but should be protected (gitignored, file-permissions restricted). The config allows overriding apiBaseUrl; if misconfigured (or maliciously edited) it could direct tokens and uploads to a non-WeChat endpoint.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global agent settings. It caches Access Token to a local .tokens/token_cache.json (configurable path), which is normal for this use-case; ensure that directory is secure.