← 返回 Skills 市场
WeChat Studio
作者
Abigale-cyber
· GitHub ↗
· v1.0.1
· MIT-0
95
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install content-system-wechat-studio
功能描述
Launch a local WeChat article workbench for Markdown import, WeChat HTML preview, theme tuning, image selection, and optional draft push. Use when Codex need...
使用说明 (SKILL.md)
WeChat Studio
Use wechat-studio as the manual workbench between generated article assets and final publishing. On ClawHub, this skill is published as content-system-wechat-studio.
Quick Start
Install the shared Python dependencies and the workbench frontend dependency:
.venv/bin/pip install -r requirements.txt
cd skills/wechat-studio/frontend && npm install
Start the local server:
python3 skills/wechat-studio/frontend/server.py
Open the workbench in the browser:
http://127.0.0.1:4173
The image defaults shown in the settings page should reflect the adjacent generate-image runtime:
provider: openai
api base: https://new.suxi.ai/v1
model: nano-nx
Use This Skill When
- You need a local WeChat preview before publishing
- You want to import Markdown into a reusable article workspace
- You want to adjust theme, typography, and layout manually
- You need to review cover images or inline image slots
- You want to push a checked article into the WeChat draft box
Default Workflow
- Start the server and open the local workbench.
- Import a Markdown article or switch to an existing article workspace.
- Review the generated WeChat preview and article metadata.
- Tune theme, typography, cover, and inline images.
- Push the final checked version to the WeChat draft box if needed.
Use the settings page to distinguish:
- configured image values from the current
md2wechatsetup - effective image values that
generate-imageactually injects at runtime
Related Skills
wechat-formatterprovides the WeChat HTML render stepgenerate-imageprovides the article companion imagescase-writer-hybridandhumanizer-zhtypically feed the upstream article draft
Notes
- This is a workbench skill, not a pure one-shot executor
- Draft push depends on the local WeChat publishing configuration already being available
- Article workspaces live under
skills/wechat-studio/content/articles/ - Users with an existing 香蕉制作平台 can use it directly
- Users without one can open job.suxi.ai, generate an
SK, place it into the token field, and log in
安全使用建议
What to consider before installing/running:
- Inspect the shipped server.py and frontend code before running. Look for network calls (requests, urllib, fetch, axios, sockets), any base64 decode/exec behavior, or code that reads system paths or environment variables.
- The skill's docs and previews reference MD2WECHAT_API_KEY and an image provider (openai via https://new.suxi.ai). Even though the skill metadata lists no required env vars, the code likely expects API keys — do not supply high‑privilege credentials (AWS, personal OpenAI keys, etc.) without reviewing the code and limiting token scope.
- The SKILL.md suggests obtaining an 'SK' from job.suxi.ai and entering it into the UI; that is an external third‑party service. Be cautious about giving any tokens or secrets to third parties and prefer test/least-privilege tokens.
- Run the server in an isolated environment (container or VM) and with a non-privileged user. Monitor outbound network connections during initial runs to detect unexpected exfiltration attempts.
- Because code is bundled, prefer to read the full server.py for any hardcoded endpoints, logging or telemetry, and check templates for absolute paths or leaked local info (the previews show /Users/Abigale/...). If you are not comfortable auditing the code, avoid running it on sensitive hosts.
- If you plan to use external APIs, create separate limited-scope API keys for this tool and revoke them after testing.
Confidence notes: I flagged inconsistencies between declared metadata (no env vars) and the runtime files (which reference API keys/third-party endpoints) and a prompt-injection signal was found. I did not perform a full dynamic analysis of server.py; reviewing that file for outbound calls and decoding logic would raise confidence one way or another.
功能分析
Type: OpenClaw Skill
Name: content-system-wechat-studio
Version: 1.0.1
The skill bundle contains a significant path traversal vulnerability in `frontend/server.py`. The `resolve_workspace_path` function fails to properly sanitize relative paths containing '..', allowing the `/api/assets` endpoint to read arbitrary files from the host system. Additionally, `frontend/extract_live_reference.js` utilizes Playwright to visit arbitrary user-provided URLs, which poses a risk of Server-Side Request Forgery (SSRF). The bundle also includes hardcoded local user paths (e.g., `/Users/Abigale/...`) and directs users to external services like `suxi.ai`, which may indicate improper packaging or environment-specific risks.
能力评估
Purpose & Capability
Name/description describe a local workbench. That purpose would not normally require undisclosed external API keys or third‑party service tokens, but the SKILL.md and preview files reference MD2WECHAT_API_KEY, an image provider (openai via https://new.suxi.ai/v1), and an external job.suxi.ai SK — these credentials are not declared in the skill metadata, creating an incoherence.
Instruction Scope
Runtime instructions ask you to pip/npm install and run a local server (expected). They also instruct how to provide an external 'SK' from job.suxi.ai and show an API provider block (provider: openai, api base: https://new.suxi.ai/v1) — the skill will likely call out to external services and expects API keys. The SKILL.md does not explicitly constrain what files or env vars the server will access; the included preview HTML already references MD2WECHAT_API_KEY and absolute user paths, suggesting templates or server code may surface local paths.
Install Mechanism
No automated install spec is declared (instruction-only install commands are in SKILL.md). Code files are bundled with the skill (server.py, frontend JS/Python), so running the server will execute shipped code. No remote download/install of third‑party binaries was specified, which reduces supply-chain risk, but running bundled server code still executes non-reviewed code locally.
Credentials
Skill metadata declares no required environment variables or credentials, but the SKILL.md and template previews reference MD2WECHAT_API_KEY and an image-generation provider (openai api base at new.suxi.ai). That mismatch is disproportionate and unexpected — the skill may require secrets to operate despite none being declared.
Persistence & Privilege
always:false (no force inclusion) and normal model invocation settings. The skill does not request elevated platform privileges in metadata. However, it runs a local server process from bundled code which will run with the invoking user's local privileges — treat this as standard but significant local execution risk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install content-system-wechat-studio - 安装完成后,直接呼叫该 Skill 的名称或使用
/content-system-wechat-studio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Show configured vs effective image backend, default to Banana nano-nx, and add SK login guidance
v1.0.0
Publish auxiliary content-system skills
元数据
常见问题
WeChat Studio 是什么?
Launch a local WeChat article workbench for Markdown import, WeChat HTML preview, theme tuning, image selection, and optional draft push. Use when Codex need... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 95 次。
如何安装 WeChat Studio?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install content-system-wechat-studio」即可一键安装,无需额外配置。
WeChat Studio 是免费的吗?
是的,WeChat Studio 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
WeChat Studio 支持哪些平台?
WeChat Studio 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 WeChat Studio?
由 Abigale-cyber(@abigale-cyber)开发并维护,当前版本 v1.0.1。
推荐 Skills