微信公众号发布工具

微信公众号文章发布工具 v1.0。基于官方 API，支持智能配图、模板渲染、草稿/发布双模式。当用户说"发公众号"、"发布微信公众号"时使用此技能。

Key things to consider before installing: - Credentials: The skill needs your WeChat AppID and AppSecret (and optionally API keys for image providers such as DALL‑E, VolcEngine, Baidu, Unsplash, OpenAI). The registry metadata does not list these env vars — ask the author for a precise list and which are required vs optional. - Token/storage: The code stores access_token in a local JSON cache file in plaintext (albeit file mode 600). If an attacker obtains your filesystem they could post as your account. Prefer using an OS keyring or enable encryption (the project’s audit suggests Fernet). Do not reuse high‑privilege credentials elsewhere. - Logs & secrets: Logs may still contain sensitive identifiers despite masking. Review logs directory and consider enabling stricter masking, log rotation, and restricted permissions. The cleanup_logs.py script references an absolute user path (/Users/brucesong/...) — update to your environment before running. - Scheduled tasks: The documentation shows how to create launchd/cron tasks. Those scheduled scripts currently lack execution authentication per the audit. If you enable scheduling, run on a dedicated machine, restrict who can edit the schedule, and supply an execution secret (as suggested by the audit). - Input sanitization: Markdown-to-HTML currently lacks sanitization; enable/verify bleach-based cleaning before publishing if you accept untrusted Markdown. - Run safely: Install and test in an isolated environment (non-production account or test WeChat public account) first. Inspect config.example.yaml, config.yaml, and code paths that reference home directories; change hard-coded absolute paths to avoid accidental file operations on your system. - Ask for fixes or patch locally: The included SECURITY_AUDIT.md is helpful; request or apply the suggested fixes (encrypt token cache, sanitize logs, validate uploads, enforce SSL verify, protect scheduled task execution) before using with production accounts. If you want, I can: (1) list every env var the code reads, (2) point to exact lines to patch for token encryption and markdown sanitization, or (3) prepare a minimal safe checklist to harden this skill before enabling it.

Type: OpenClaw Skill Name: wechat-mp-publish-skill Version: 1.0.2 The bundle is a comprehensive and well-documented tool for automating WeChat Official Account publishing, including Markdown rendering and AI-driven image generation. It exhibits high security awareness, featuring dedicated scripts to redact sensitive information from logs and source code (cleanup_logs.py, cleanup_secrets.py) and providing detailed self-conducted OWASP security audits. While the audits identify potential vulnerabilities such as plain-text token caching, the developer has implemented mitigations like strict file permissions (0o600) and environment variable substitution, indicating responsible development rather than malicious intent.