← 返回 Skills 市场
Wechat HTML Publisher
作者
XiaoZuoOvO
· GitHub ↗
· v1.0.2
· MIT-0
457
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install wechat-html-publisher
功能描述
直接上传HTML富文本到微信公众号草稿箱。支持完整的HTML格式,无需Markdown转换。
安全使用建议
This skill appears to implement its stated purpose, but take these precautions before installing or allowing autonomous runs:
- Expect to set WECHAT_APP_ID and WECHAT_APP_SECRET (the SKILL.md and script require them) — the registry metadata incorrectly omits them.
- Run the script locally first (not as an autonomous agent) to verify behavior and to ensure Python + requests are installed from trusted sources (pip install requests).
- Review any HTML you feed it: the script will read local image paths (including absolute paths) and will download remote image URLs. Do not pass untrusted HTML because it could reference internal network URLs (SSRF) or local files you don’t want uploaded.
- If you plan to let an agent invoke the skill autonomously, avoid running it on machines that have access to sensitive internal networks or metadata services; consider disabling autonomous invocation for this skill if you cannot fully trust the agent.
- Rotate WeChat credentials if you suspect they were exposed during testing, and limit their permissions where possible.
If you want this evaluated as 'benign' rather than 'suspicious', provide corrected registry metadata declaring the required environment variables and/or add explicit checks in the code to restrict URL/file fetching (e.g., deny private IP ranges, forbid file paths outside a safe directory).
功能分析
Type: OpenClaw Skill
Name: wechat-html-publisher
Version: 1.0.2
The skill is a legitimate tool for publishing HTML content to WeChat Official Accounts. It uses standard environment variables for credentials and communicates only with official WeChat API endpoints (api.weixin.qq.com) to upload images and create drafts. No evidence of data exfiltration, malicious execution, or prompt injection was found in scripts/publish_html.py or SKILL.md.
能力评估
Purpose & Capability
Name/description and the included script are consistent: the tool uploads HTML and images to the WeChat draft API. However the registry metadata lists no required environment variables or primary credential even though SKILL.md and the script require WECHAT_APP_ID and WECHAT_APP_SECRET; that mismatch is unexpected and should be corrected.
Instruction Scope
SKILL.md and the script instruct reading arbitrary HTML files and local image paths (including absolute paths) and downloading network image URLs. The script will fetch arbitrary URLs and read local files referenced by the HTML and then upload them to WeChat. This is coherent with the stated purpose but introduces an SSRF file/URL fetch surface and allows reading local files referenced by the HTML (e.g., /Users/...). If the agent runs this autonomously or on a sensitive host, an attacker could craft image URLs that access internal endpoints or include local paths to exfiltrate sensitive files.
Install Mechanism
There is no install spec (instruction-only / script included). The code depends on Python and the requests library (README mentions pip install requests). Not having an explicit install spec is low-risk but means the environment must already provide Python and requests — user should ensure those dependencies are installed from trusted sources.
Credentials
The script legitimately requires WECHAT_APP_ID and WECHAT_APP_SECRET to call WeChat APIs, which is proportionate. However the registry metadata does not declare these required environment variables or a primary credential, creating an inconsistency that could hide the need for sensitive credentials. No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent or cross-skill configuration. disable-model-invocation is false (the default), so the skill could be invoked autonomously by an agent — which is standard, but combined with the instruction-scope risks above (downloading arbitrary URLs / reading local files) warrants caution.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-html-publisher - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-html-publisher触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- 补充并规范了文档中的API凭证配置示例,使用占位符替换真实ID和密钥。
- 新增元数据文件 .clawhub/origin.json 和 _meta.json,用于增强技能元信息。
v1.0.0
wechat-html-publisher v1.0.0
- 初始版本发布
- 支持将完整HTML富文本直接上传至微信公众号草稿箱
- 自动上传并替换HTML中的本地或网络图片为微信图床链接
- 命令行工具支持多参数配置,一键发布
- 无需Markdown转换,适合已有排版的HTML内容
元数据
常见问题
Wechat HTML Publisher 是什么?
直接上传HTML富文本到微信公众号草稿箱。支持完整的HTML格式,无需Markdown转换。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 457 次。
如何安装 Wechat HTML Publisher?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-html-publisher」即可一键安装,无需额外配置。
Wechat HTML Publisher 是免费的吗?
是的,Wechat HTML Publisher 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Wechat HTML Publisher 支持哪些平台?
Wechat HTML Publisher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wechat HTML Publisher?
由 XiaoZuoOvO(@zuo-wentao)开发并维护,当前版本 v1.0.2。
推荐 Skills