by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a legitimate miniProgram CI wrapper, but take precautions before running anything: 1) Inspect scripts/wx-miniprogram-ci.js to confirm whether it will run npm installs or external commands automatically and where it writes files. 2) Back up any existing ~/.wxmini-ci.config.js before running the skill or tests — the provided tests (tests/run-tests.js) copy a test config to your real config path and may overwrite it without preserving the original. 3) Keep your WeCha...详细分析 ▾
✓ 用途与能力
Name/description (wx miniprogram CI using miniprogram-ci) align with the provided script and config example: the code implements commands for init, config, preview, upload, build-npm, upload-function, upload-storage and interacts with project files and a private key path as expected.
ℹ 指令范围
SKILL.md instructs running the included Node script from the skill's scripts directory and describes persisting configuration to ~/.wxmini-ci.config.js. That behavior is expected for a CLI tool, but the skill also ships test scripts that perform file operations on the user's home config (see tests/run-tests.js) which could overwrite a user's existing ~/.wxmini-ci.config.js if run.
✓ 安装机制
No install spec; this is instruction + script files only. No external download URLs or installers are present in the provided files, which reduces install-time risk. The script may invoke npm or miniprogram-ci at runtime (not executed by the platform during install).
⚠ 凭证需求
The tool legitimately needs project paths and private key file paths for WeChat operations. However, it persists configuration to the user's home (~/.wxmini-ci.config.js) and the tests intentionally copy a test config over the real config file (tests/run-tests.js) in a way that will overwrite an existing real config without backing it up first—this is disproportionate risk for a skill and could inadvertently clobber user data. The script also reads filesystem paths (including private key files) which is expected but sensitive; no explicit environment variables or cloud credentials are requested by the skill itself.
ℹ 持久化与权限
The skill writes a persistent config file in the user's home directory and can persist per-project settings. It does not request 'always: true' or other elevated platform privileges. Persisting config to the user's home is reasonable for a CLI tool, but users should be aware of the persistent file location and that tests/scripts can modify it.
⚠ scripts/wx-miniprogram-ci.js:466
Shell command execution detected (child_process).
⚠ tests/run-tests.js:61
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/13
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install wx-miniprogram-ci
镜像加速npx clawhub@latest install wx-miniprogram-ci --registry https://cn.longxiaskill.com