← Back to Skills Marketplace

wechat mp push 微信公众号图文生成与推送技能

Name: wechat mp push 微信公众号图文生成与推送技能
Author: lihengdao

by lihengdao · GitHub ↗ · v3.0.3 · MIT-0

cross-platform ⚠ suspicious

463

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install wechat-mp-push

Description

支持通过AI生成符合公众号规范的图文（文章和贴图），并推送到公众号草稿箱，兼容其它SKILL生成的图文、图片进行推送。通过配置向导扫码授权，支持多账号。无需泄露公众号Secret密钥，无需配置公众号IP白名单。

Usage Guidance

What to check and do before installing or using this skill: - Inspect the code before running. The included file push-to-wechat-mp.js is the only executable; review it yourself (it is readable JS) and verify it only posts to the intended endpoint and only reads files in the skill directory. - Confirm Node.js availability and consider declaring node as a requirement. If you cannot or do not want to run node locally, do not run this skill. - Be careful when creating/supplying config.json. The workflow asks you to paste configuration JSON from a web wizard — verify the JSON contents locally before giving it to the agent or saving it in the skill folder. Do not paste any secrets you do not intend to share. - Verify apiBase in your config.json is the official service (default is https://api.pcloud.ac.cn/openClawService). Do not accept or use config files that set apiBase to unfamiliar domains or IPs; a malicious apiBase would receive all uploaded HTML and images. - Treat openId and any other identifiers as potentially sensitive. If you must use this skill for sensitive content, prefer authorizing your own official WeChat appId rather than using a shared/platform-provided account. - The SKILL.md contained a prompt-injection signal (unicode control chars). Proceed cautiously: do not allow the agent to autonomously request or accept arbitrary configuration or credentials via chat without you verifying them. - If you are unsure or cannot inspect files, run the script in an isolated/sandbox environment or decline to install. If you want, I can walk through the push-to-wechat-mp.js file line-by-line and highlight the exact network requests and JSON fields it sends so you can audit what will be transmitted.

Capability Analysis

Type: OpenClaw Skill Name: wechat-mp-push Version: 3.0.3 The skill facilitates content publishing to WeChat by executing a local Node.js script (push-to-wechat-mp.js) that sends user-generated HTML and a service-specific identifier (openId) to a third-party API (api.pcloud.ac.cn). While this behavior aligns with the stated purpose of bypassing WeChat's complex IP/Secret requirements, the use of shell execution, local file system access, and the exfiltration of content to an external proxy service represent high-risk capabilities. No evidence of intentional malice or unauthorized data theft (e.g., SSH keys or environment variables) was detected.

Capability Assessment

ℹ Purpose & Capability

The name/description (generate WeChat article HTML and push to a draft box) matches the code and runtime instructions: the JS script reads a local config.json and posts article HTML or image URLs to an external API to perform the push. However the SKILL declares no required binaries while the runtime instructions and included script assume Node.js is available (the script is invoked via `node`). That mismatch (no declared node requirement) is an incoherence you should account for.

⚠ Instruction Scope

The SKILL.md instructs the agent to: ask the user to run a web-based configuration wizard, have the user scan a QR and paste the resulting JSON into a config.json file in the skill directory, then run the included node script which reads that config and uploads content. The instructions do not request other system files or env vars, which is appropriate, but the SKILL.md contained a detected 'unicode-control-chars' prompt-injection pattern (pre-scan signal). Also the workflow asks users to paste JSON they received into chat/skill files — that can lead to accidental disclosure of identifiers or other sensitive fields if users are not careful.

ℹ Install Mechanism

There is no install spec (instruction-only behavior) which is low-risk in itself. The package includes a local JS script (push-to-wechat-mp.js) that will be executed by Node.js; because there is no install step, nothing extra is written during install. Still, the presence of executable script means you will execute code from an unknown source on your environment if you run it locally — verify Node availability and inspect the script before running.

⚠ Credentials

The skill does not declare environment variables, but it requires a config.json created by the external configuration wizard. That config contains at minimum openId and an accounts list; it can also include an apiBase override. The script will POST the full article HTML and any thumb content to the apiBase URL (default https://api.pcloud.ac.cn/openClawService). Allowing apiBase to be set in config.json means a malicious/modified config could redirect all uploaded article content to an arbitrary endpoint. Asking users to paste configuration JSON into the skill directory/chat increases the risk of exposing identifiers or other sensitive fields to the agent or remote service. Overall the set of credentials/fields requested is plausible for the stated purpose but the apiBase override and the 'paste config into chat' step create an exfiltration vector.

✓ Persistence & Privilege

The skill does not request permanent presence (always:false) and does not attempt to alter other skills or system-wide agent configs. It only reads files in its own directory (config.json and local HTML files). It does require the agent (or user) to write config.json into the skill directory, which is normal for local configuration but is an action that stores data on disk.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install wechat-mp-push
After installation, invoke the skill by name or use /wechat-mp-push
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.0.3

chore: sync (v3.0.3)

v3.0.2

chore: sync (v3.0.2)

v3.0.1

chore: sync (v3.0.1)

v3.0.0

chore: sync (v3.0.0)

v2.0.1

chore: sync (v2.0.1)

v2.0.0

chore: sync (v2.0.0)

v1.0.26

chore: sync (v1.0.26)

v1.0.25

chore: sync (v1.0.25)

v1.0.23

chore: sync (v1.0.23)

v1.0.22

chore: sync (v1.0.22)

v1.0.21

chore: sync (v1.0.21)

v1.0.19

chore: sync (v1.0.19)

v1.0.18

chore: sync (v1.0.18)

v1.0.16

chore: sync (v1.0.16)

v1.0.15

chore: sync (v1.0.15)

v1.0.13

chore: sync (v1.0.13)

v1.0.12

chore: sync (v1.0.12)

v1.0.11

chore: sync (v1.0.11)

v1.0.10

chore: sync (v1.0.10)

v1.0.9

chore: sync (v1.0.9)

Metadata

Slug wechat-mp-push

Version 3.0.3

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 28

Frequently Asked Questions

What is wechat mp push 微信公众号图文生成与推送技能?

支持通过AI生成符合公众号规范的图文（文章和贴图），并推送到公众号草稿箱，兼容其它SKILL生成的图文、图片进行推送。通过配置向导扫码授权，支持多账号。无需泄露公众号Secret密钥，无需配置公众号IP白名单。 It is an AI Agent Skill for Claude Code / OpenClaw, with 463 downloads so far.

How do I install wechat mp push 微信公众号图文生成与推送技能?

Run "/install wechat-mp-push" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is wechat mp push 微信公众号图文生成与推送技能 free?

Yes, wechat mp push 微信公众号图文生成与推送技能 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does wechat mp push 微信公众号图文生成与推送技能 support?

wechat mp push 微信公众号图文生成与推送技能 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created wechat mp push 微信公众号图文生成与推送技能?

It is built and maintained by lihengdao (@lihengdao); the current version is v3.0.3.

More Skills