← 返回 Skills 市场
650
总下载
0
收藏
3
当前安装
3
版本数
在 OpenClaw 中安装
/install wechat-image-generator
功能描述
Generate beautiful images for WeChat articles (covers, comparisons, charts) with zero token cost. Use when user needs images for social media posts, article...
安全使用建议
This skill appears to do what it says: generate static HTML templates and instruct you to take screenshots via a local browser tool. Before installing/using: (1) review and prefer running generate.py (which only writes HTML and prints safe commands) rather than auto_screenshot.py; the latter executes shell commands with shell=True and could be abused if you pass untrusted file paths. (2) The auto-screenshot behavior is partly unimplemented/buggy — screenshots are typically taken by running the printed 'browser open ... && browser screenshot ...' command yourself or using the serve.py + local http.server flow. (3) Run the scripts in a trusted or sandboxed environment if you are unsure about the 'browser' tool implementation. (4) If you plan to integrate this into automation, modify subprocess usage to avoid shell=True and to validate/escape paths to eliminate command-injection risk. Overall the package is coherent with its purpose but exercise standard caution when running helper scripts that invoke shell commands.
功能分析
Type: OpenClaw Skill
Name: wechat-image-generator
Version: 1.0.2
The skill contains a critical shell injection vulnerability in `scripts/auto_screenshot.py` and `scripts/generate.py`. Both scripts construct and execute shell commands using `subprocess.run(..., shell=True)` or by printing commands for the agent to execute, without adequately sanitizing user-controlled input, specifically the `--output` path. This could allow a malicious prompt to inject arbitrary commands (e.g., `--output 'foo.png; rm -rf /'`) leading to remote code execution. While this is a severe vulnerability, there is no clear evidence of intentional malicious behavior such as data exfiltration or backdoor installation, aligning it with a 'suspicious' classification rather than 'malicious'.
能力评估
Purpose & Capability
Name/description match the included files: Python scripts + HTML templates that produce cover/compare/chart HTML and guidance to capture screenshots via the OpenClaw 'browser' tool. Required binary (python3) and requested browser tool are appropriate and proportional. No unrelated environment variables, services, or install steps are present.
Instruction Scope
SKILL.md and README restrict actions to generating HTML files and opening them in a browser for screenshots using the OpenClaw browser tool or a local HTTP server. They do not instruct reading unrelated files or sending data to external endpoints. Two implementation issues to note: (1) generate.py prints the 'browser' commands for the user/agent to run rather than executing them directly (this is expected/safer), and (2) scripts/auto_screenshot.py attempts to invoke the 'browser' commands via subprocess.run(shell=True) but does not actually execute the final combined command (the code prints the combined_cmd and returns True). Additionally, auto_screenshot.py constructs shell commands with user-supplied file paths and executes them with shell=True — this creates a potential local command-injection risk if untrusted paths are passed to that script. This is an implementation vulnerability, not evidence of network exfiltration or unrelated scope creep.
Install Mechanism
No install spec or remote downloads. All code and templates are included in the package; there is no external installation or archive extraction. This is low-risk from an install mechanism perspective.
Credentials
The skill requires no environment variables or credentials. The sole declared runtime dependency (python3) and the implicit dependency on an OpenClaw 'browser' tool are directly relevant to the stated functionality.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require system-level configuration. It is user-invocable and will not be force-included or persistently privileged.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-image-generator - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-image-generator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Add GitHub repository and homepage links
v1.0.1
Fix: Add logarithmic scale for better chart visualization when values differ greatly; Add min-height to ensure bars are visible
v1.0.0
Initial release: Generate cover, comparison, and chart images for WeChat articles
元数据
常见问题
Wechat Image Generator 是什么?
Generate beautiful images for WeChat articles (covers, comparisons, charts) with zero token cost. Use when user needs images for social media posts, article... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 650 次。
如何安装 Wechat Image Generator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-image-generator」即可一键安装,无需额外配置。
Wechat Image Generator 是免费的吗?
是的,Wechat Image Generator 完全免费(开源免费),可自由下载、安装和使用。
Wechat Image Generator 支持哪些平台?
Wechat Image Generator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wechat Image Generator?
由 jingyu525(@jingyu525)开发并维护,当前版本 v1.0.2。
推荐 Skills