📦 wx-md-article — 一键推文

Name: wx-md-article — 一键推文
Rating: 1

v1.0.0

将 Markdown 自动排版为符合微信风格的公众号草稿，支持配色与格式优化，一键上传至草稿箱。

1· 267·0 当前·0 累计

by @yangchao228 (Sundy Yang)

文档工具自动化文件处理

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill does what it says (converts Markdown and uploads to WeChat) but the package includes a config.json with an appid and appsecret embedded. Do NOT use those credentials. Before installing or running: (1) Replace the appid/appsecret in config.json with your own WeChat credentials (or modify the scripts to read credentials from a secure location or env vars); (2) Rotate the embedded credentials if you control the referenced account, and avoid uploading sensitive content while using third-p...

详细分析 ▾

ℹ 用途与能力

Name/description match the code: scripts convert Markdown to HTML and call WeChat APIs to upload drafts. However, instead of declaring required credentials or prompting the user to supply them, the package includes a config.json with an appid and appsecret embedded — that is unusual and should be justified (example config is expected, but these look like real values).

✓ 指令范围

SKILL.md and the scripts confine themselves to converting the provided input file, building HTML, and calling api.weixin.qq.com endpoints. They do not read unrelated system files or call external endpoints beyond the WeChat API. One scope note: the script echoes part of the access_token to stdout which can leak secrets into logs.

✓ 安装机制

There is no remote-install step or downloads. This is an instruction+script package; nothing is fetched from arbitrary URLs at install time. Risk surface is limited to the included shell scripts being run locally.

⚠ 凭证需求

The skill declares no required environment variables or primary credential, yet config.json contains an appid and appsecret (and a default thumb_media_id). Bundling active credentials in the package is disproportionate and dangerous: the script will use those credentials to act on behalf of that WeChat account rather than the user's account. The skill should instead prompt for or document replacing these with the user's own credentials.

✓ 持久化与权限

The skill does not request persistent or system-wide privileges (always:false). It writes temporary files under /tmp while running and cleans them up; it does not modify other skills or system configs.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/11

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install wx-md-article

镜像加速npx clawhub@latest install wx-md-article --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库