← 返回 Skills 市场
97
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wechat-mp-draft-publisher
功能描述
Publish WeChat Official Account draft articles through a packaged CLI executable that wraps WeChat API calls. Use when the user wants to publish or create a...
安全使用建议
This skill appears to do what it claims (publish WeChat drafts), but take these precautions before installing or running it: 1) The wrapper requires a local credentials file at ~/.weixin_credentials (appid/secret) but that requirement is not declared in the registry metadata — only provide credentials you trust and consider using a service account with limited permissions. 2) Prefer supplying a vetted local mp-weixin-skill binary via --bin or MP_WECHAT_CLI_BIN rather than allowing the installer to auto-download an executable. 3) If you must auto-download, point MP_WECHAT_GITHUB_REPO to the official repository and verify release checksums/signatures out-of-band; avoid arbitrary MP_WECHAT_RELEASE_URL values from untrusted hosts. 4) Be aware the installer will use your GITHUB_TOKEN env var if present; avoid exposing a highly privileged token. 5) Inspect the mp-weixin-skill binary source (or run it in a sandbox/container) before use, since the wrapper executes that binary and will inherit any behavior it contains. If you cannot verify the released binary or prefer safer operation, decline auto-download and run a known-good local CLI instead.
功能分析
Type: OpenClaw Skill
Name: wechat-mp-draft-publisher
Version: 0.0.1
The skill implements a 'download-and-execute' pattern in `scripts/install_mp_weixin_skill.sh`, fetching an unverified binary from a remote GitHub repository or arbitrary URL (e.g., `github.com/Mesus/weixin-mp-skill`) without integrity checks such as hashes or signatures. It also requires access to sensitive credentials in `~/.weixin_credentials` to function. While these actions are consistent with the stated goal of publishing WeChat drafts, the lack of verification for the remote payload and the execution of opaque binaries in `scripts/publish_draft.sh` constitutes a significant supply chain risk.
能力评估
Purpose & Capability
Name/description match the implementation: the wrapper enforces getAuth -> uploadArticleImage -> uploadCoverImage -> addDraft. Requiring a local WeChat credentials file (~/.weixin_credentials) and optionally a CLI binary or GitHub release is consistent with the purpose. However, registry metadata claimed no required config paths or env vars while the SKILL.md and scripts require/accept MP_WECHAT_* env vars and the ~/.weixin_credentials file — a metadata mismatch (declaration vs actual requirements). The scripts also rely on common tools (curl, python3, unzip, file, sed, awk, grep) though the skill metadata lists no required binaries.
Instruction Scope
SKILL.md keeps instructions focused on uploading images and creating drafts and documents the run order and required local files. The wrapper enforces the sequence and emits structured JSON. The script does not read arbitrary system files beyond checking for existence of ~/.weixin_credentials, nor does it transmit data to unexpected endpoints by itself. It does, however, run an external mp-weixin-skill binary (user-provided or auto-downloaded) and will execute that binary with credentials-derived tokens — this expands runtime scope to whatever that binary does (the wrapper does not inspect or sandbox it).
Install Mechanism
Although the installer supports GitHub releases (expected), it also accepts direct arbitrary URLs and will download and execute or extract the asset without validating checksums or signatures. The installer uses curl/unzip and Python to parse release JSON and will place a downloaded binary under <skill>/bin and mark it executable. Auto-downloading and running an unverified binary from a user-provided URL (or from a GitHub release with no verification) is high-risk.
Credentials
The skill requires a local credentials file (~/.weixin_credentials with appid/secret) but the registry metadata listed no required config paths — this omission is a material mismatch. The installer will also use a GITHUB_TOKEN environment variable if present to authenticate GitHub API/asset downloads (reasonable for private releases), so users should be aware the script will include that header when calling GitHub. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes the downloaded executable into the skill's bin directory and executes it — normal for a wrapper but effectively grants the skill persistent executable code (the downloaded binary) that will run on invocation. Autonomous invocation is allowed by default (not flagged by itself) but increases blast radius because the skill executes external code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-mp-draft-publisher - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-mp-draft-publisher触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
Initial release of WeChat MP Draft Publisher.
- Publish WeChat Official Account draft articles via a packaged CLI that enforces the sequence: getAuth → uploadArticleImage → uploadCoverImage → addDraft.
- Supports specifying the executable by local path, environment variable, or automatic download from GitHub Releases.
- Requires local credentials and prepared article content/image files.
- Outputs publishing results in structured JSON; prints errors to stderr.
- Provides example usage for various integration options.
元数据
常见问题
wechat-mp-draft-publisher 是什么?
Publish WeChat Official Account draft articles through a packaged CLI executable that wraps WeChat API calls. Use when the user wants to publish or create a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 97 次。
如何安装 wechat-mp-draft-publisher?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-mp-draft-publisher」即可一键安装,无需额外配置。
wechat-mp-draft-publisher 是免费的吗?
是的,wechat-mp-draft-publisher 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
wechat-mp-draft-publisher 支持哪些平台?
wechat-mp-draft-publisher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 wechat-mp-draft-publisher?
由 Mesus(@mesus)开发并维护,当前版本 v0.0.1。
推荐 Skills