一键发布 Markdown 到微信公众号草稿箱。基于 wenyan-cli,支持多主题、代码高亮、图片自动上传。
Security Analysis
medium confidenceThe skill appears to implement a legitimate WeChat-publishing workflow, but its published metadata omits required credentials and the included scripts will read a workspace file and perform a global npm install — review before installing or running.
The name/description (publish Markdown to WeChat drafts using wenyan-cli) match the code and instructions. However the skill metadata declares no required environment variables/credentials even though the runtime instructions and scripts require WECHAT_APP_ID and WECHAT_APP_SECRET and expect them to be stored in a TOOLS.md file in the OpenClaw workspace. That metadata omission is an incoherence you should be aware of.
SKILL.md and scripts limit actions to converting/publishing Markdown via wenyan-cli and reading credentials. The scripts explicitly read $HOME/.openclaw/workspace/TOOLS.md (grep for export WECHAT_APP_ID/SECRET) and will source/set environment variables. This behavior is in‑scope for publishing, but it does access a user file (TOOLS.md) and will automatically install wenyan-cli if missing — both are runtime actions the user should consent to.
There is no formal install spec in the registry (instruction-only). The publish script runs npm install -g @wenyan-md/cli when wenyan is absent — a global npm install performed at runtime. This is expected for using wenyan-cli but is a moderate-risk action (network download and global installation); the install sources are a public npm package (no suspicious URLs).
The skill requires WECHAT_APP_ID and WECHAT_APP_SECRET for its function, but the registry metadata did not declare these required environment variables. The scripts attempt to extract them from TOOLS.md, which means a plaintext secrets file in the user's workspace will be read. The amount and type of credentials requested are proportionate to the stated purpose, but the metadata omission and reading of a workspace file without explicit declaration is a risk/oversight that should be corrected or validated by the user.
The skill does not request 'always: true' nor modify other skills or system-wide settings. Its only persistent action is potentially installing wenyan-cli globally (npm -g) when run; it does not autonomously enable itself or alter other skills. Autonomous invocation is allowed but not unique to this skill.
Guidance
This skill appears to do what it claims (wrap wenyan-cli to publish Markdown to WeChat), but take these precautions before installing or running it: - Expect to provide WECHAT_APP_ID and WECHAT_APP_SECRET. The registry metadata omitted those required env vars — the scripts will try to read them from $HOME/.openclaw/workspace/TOOLS.md or from your environment. - Inspect your TOOLS.md: do not store unrelated secrets there. The scripts grep that file for lines like 'export WECHAT_APP_ID=...'. If you keep many credentials in TOOLS.md, consider moving only the WeChat entries to a dedicated file or set the variables in your shell instead. - The publish script will attempt a global 'npm install -g @wenyan-md/cli' if wenyan is not present. Global npm installs involve network downloads and change your system environment; review the wenyan-cli package (its npm page / GitHub repo) before allowing the install. - Run the script in a controlled environment first (e.g., a development VM or container) to observe behavior and confirm it only interacts with wenyan and the WeChat API. Verify that no unexpected network endpoints are contacted beyond npm and the WeChat API. - Prefer exporting WECHAT_APP_ID/WECHAT_APP_SECRET in your shell (or use setup.sh via 'source') rather than leaving credentials in files readable by other processes/users. If you want to proceed: verify the wenyan-cli source, add the WeChat credentials only where intended, and run the scripts locally rather than granting them any elevated automated privileges.
Latest Release
v0.1.0
wechat-publisher v0.1.0 - 移除了 openclaw 安装信息和 wenyan-cli 自动依赖描述,需手动全局安装 wenyan-cli - 精简 metadata,删除自动检测及安装指引,保留基本信息 - README、文档更新,强调 wenyan-cli 必须手动全局安装并提供安装验证方法 - 其他功能与原版一致,未作业务层调整
Popular Skills
Published by @0731coderlee-sudo on ClawHub
