公众号自动发布

将现成的文章内容发布到微信公众号草稿箱。当用户说"发布文章"、"发布到草稿箱"、"publish to draft"、"推送到公众号"时触发。

This skill appears to implement a legitimate WeChat draft publisher, but there are some red flags to consider before installing: - Required credentials missing from registry metadata: The runtime script (scripts.sh) requires WECHAT_APPID and WECHAT_SECRET. The package registry incorrectly lists no required env vars—treat this as a manifest bug. Do not provide credentials until you confirm what the skill actually needs. - Credential handling: The README suggests sourcing a .env from your shell startup. If you follow that, those secrets become environment variables for your whole shell session and could be read by other processes; prefer supplying credentials scoped to the process or using a minimal isolated environment. - Network calls and endpoints: The script calls only official WeChat endpoints (api.weixin.qq.com). Verify those endpoints in your environment and ensure you expect the account that will be used. - DEFAULT_COVER_URL behavior: SKILL.md mentions downloading a default cover to /tmp if DEFAULT_COVER_URL is set, but scripts.sh doesn't implement the download—confirm who performs the download and where DEFAULT_COVER_URL points to (avoid untrusted hosts). - Automation risk: If you enable Cron to auto-run this skill, a misconfigured downstream caller could publish undesired content. Review who can trigger the skill and audit scheduled tasks. Actionable steps before use: 1) Inspect and test scripts.sh locally in a safe account (do not use production AppID/Secret) to confirm behavior. 2) Fix or request corrected registry metadata that lists WECHAT_APPID and WECHAT_SECRET as required. 3) Provide credentials using a secure mechanism (process-scoped env or secrets manager), not by globally sourcing .env in your shell rc. 4) If enabling automation (cron), restrict the triggering source and monitor activity logs in the WeChat backend. If you want, I can suggest a minimal checklist or an example of a safer invocation pattern that avoids adding secrets to your shell startup.

Type: OpenClaw Skill Name: mp-draft-push Version: 1.0.2 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts.sh`. The `upload_wechat_image` function directly embeds the user-controlled `image_path` parameter into a `curl` command (`-F "media=@${image_path}"`), allowing an attacker to execute arbitrary commands by crafting a malicious `cover_image_path`. Additionally, the `SKILL.md` instructs the agent to download a default cover image from `DEFAULT_COVER_URL` if provided, which could lead to SSRF/LFI if the agent's download mechanism lacks URL validation.