📦 WeChat Mini Program Builder — WeChat工具
v1.0.0[AI辅助] AI-assisted tool to quickly build WeChat Mini Programs with templates, auto-generated code, cloud functions, and deployment support.
1· 233·2 当前·2 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe package's README/usage (npm mp-builder CLI) does not match the included Python code (which requires an OPENCLAW_API_KEY and calls an OpenClaw API), and the skill asks for a sensitive env var in code that the metadata and SKILL.md do not declare — proceed with caution and verify origin before running or providing credentials.
评估建议
This skill shows multiple inconsistencies: the user-facing instructions talk about a Node CLI, but the included code is a Python script that will call an external OpenClaw API and requires an OPENCLAW_API_KEY that is not documented. Before installing or running: 1) Ask the publisher for the canonical source/repo and clarification (is the tool Node or Python?). 2) Do not supply any API keys until you confirm why they are needed and whether the key will be limited/scoped. 3) Inspect the code local...详细分析 ▾
⚠ 用途与能力
The SKILL.md describes an npm-based CLI (miniprogram-cli / mp-builder) and gives Node-centric usage, but the bundle includes a Python tool (mp_builder.py) that implements the described features. The Python code requires an OPENCLAW_API_KEY environment variable (and imports an OpenClaw client) even though the skill metadata lists no required env vars or primary credential. These mismatches are disproportionate to the stated purpose and unclear to a user.
⚠ 指令范围
SKILL.md instructs installing a Node CLI and running mp-builder commands; it does not mention setting an API key or contacting any external LLM/service. The Python code, however, sends prompts to an external OpenClaw chat API to generate page code and will fail or raise an exception if OPENCLAW_API_KEY is not set. The code also writes generated content and cloudfunction templates to disk (pages/, cloudfunctions/). The instructions therefore omit that the tool will call an external model and require credentials.
⚠ 安装机制
There is no declared install spec (instruction-only), but SKILL.md suggests installing a global npm package. The included implementation is Python and imports an 'openclaw' package without declaring how to install it. This mismatch creates uncertainty about what actually needs to be installed and from where — increasing risk because dependencies and provenance are unclear.
⚠ 凭证需求
The Python code requires a sensitive environment variable OPENCLAW_API_KEY and will abort if it's missing, yet the skill metadata declares no required env vars and SKILL.md does not instruct users to provide this key. Requiring an API key for an external model is plausible for AI code generation, but the omission in metadata and docs is a red flag: users could accidentally supply a general/privileged key without understanding why. No other credentials are requested, but this single undeclared secret request is disproportionate and undocumented.
✓ 持久化与权限
The skill does not request always:true and is user-invocable only; it does not modify other skills or system-wide settings. It writes project files to the current directory (normal for a project generator) but requests no elevated/system-level privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/17
Initial release of WeChat Mini Program Builder. - Provides AI-assisted WeChat mini program development, reducing time from idea to launch to just 3 days. - Includes 10+ project templates for common scenarios (e-commerce, restaurant, booking, showcase, etc.). - Features AI code generator for automatic page and component creation based on user prompts. - Offers templates for cloud functions such as login, payment, and order processing. - Step-by-step deployment guide included. - Available in three tiers: Basic, Pro, and Enterprise, with different features and pricing.
● 无害
安装命令
点击复制官方npx clawhub@latest install wechat-mini-program-builder
镜像加速npx clawhub@latest install wechat-mini-program-builder --registry https://cn.longxiaskill.com