← 返回 Skills 市场
463
总下载
3
收藏
1
当前安装
28
版本数
在 OpenClaw 中安装
/install wechat-mp-push
功能描述
支持通过AI生成符合公众号规范的图文(文章和贴图),并推送到公众号草稿箱,兼容其它SKILL生成的图文、图片进行推送。通过配置向导扫码授权,支持多账号。无需泄露公众号Secret密钥,无需配置公众号IP白名单。
安全使用建议
What to check and do before installing or using this skill:
- Inspect the code before running. The included file push-to-wechat-mp.js is the only executable; review it yourself (it is readable JS) and verify it only posts to the intended endpoint and only reads files in the skill directory.
- Confirm Node.js availability and consider declaring node as a requirement. If you cannot or do not want to run node locally, do not run this skill.
- Be careful when creating/supplying config.json. The workflow asks you to paste configuration JSON from a web wizard — verify the JSON contents locally before giving it to the agent or saving it in the skill folder. Do not paste any secrets you do not intend to share.
- Verify apiBase in your config.json is the official service (default is https://api.pcloud.ac.cn/openClawService). Do not accept or use config files that set apiBase to unfamiliar domains or IPs; a malicious apiBase would receive all uploaded HTML and images.
- Treat openId and any other identifiers as potentially sensitive. If you must use this skill for sensitive content, prefer authorizing your own official WeChat appId rather than using a shared/platform-provided account.
- The SKILL.md contained a prompt-injection signal (unicode control chars). Proceed cautiously: do not allow the agent to autonomously request or accept arbitrary configuration or credentials via chat without you verifying them.
- If you are unsure or cannot inspect files, run the script in an isolated/sandbox environment or decline to install.
If you want, I can walk through the push-to-wechat-mp.js file line-by-line and highlight the exact network requests and JSON fields it sends so you can audit what will be transmitted.
功能分析
Type: OpenClaw Skill
Name: wechat-mp-push
Version: 3.0.3
The skill facilitates content publishing to WeChat by executing a local Node.js script (push-to-wechat-mp.js) that sends user-generated HTML and a service-specific identifier (openId) to a third-party API (api.pcloud.ac.cn). While this behavior aligns with the stated purpose of bypassing WeChat's complex IP/Secret requirements, the use of shell execution, local file system access, and the exfiltration of content to an external proxy service represent high-risk capabilities. No evidence of intentional malice or unauthorized data theft (e.g., SSH keys or environment variables) was detected.
能力评估
Purpose & Capability
The name/description (generate WeChat article HTML and push to a draft box) matches the code and runtime instructions: the JS script reads a local config.json and posts article HTML or image URLs to an external API to perform the push. However the SKILL declares no required binaries while the runtime instructions and included script assume Node.js is available (the script is invoked via `node`). That mismatch (no declared node requirement) is an incoherence you should account for.
Instruction Scope
The SKILL.md instructs the agent to: ask the user to run a web-based configuration wizard, have the user scan a QR and paste the resulting JSON into a config.json file in the skill directory, then run the included node script which reads that config and uploads content. The instructions do not request other system files or env vars, which is appropriate, but the SKILL.md contained a detected 'unicode-control-chars' prompt-injection pattern (pre-scan signal). Also the workflow asks users to paste JSON they received into chat/skill files — that can lead to accidental disclosure of identifiers or other sensitive fields if users are not careful.
Install Mechanism
There is no install spec (instruction-only behavior) which is low-risk in itself. The package includes a local JS script (push-to-wechat-mp.js) that will be executed by Node.js; because there is no install step, nothing extra is written during install. Still, the presence of executable script means you will execute code from an unknown source on your environment if you run it locally — verify Node availability and inspect the script before running.
Credentials
The skill does not declare environment variables, but it requires a config.json created by the external configuration wizard. That config contains at minimum openId and an accounts list; it can also include an apiBase override. The script will POST the full article HTML and any thumb content to the apiBase URL (default https://api.pcloud.ac.cn/openClawService). Allowing apiBase to be set in config.json means a malicious/modified config could redirect all uploaded article content to an arbitrary endpoint. Asking users to paste configuration JSON into the skill directory/chat increases the risk of exposing identifiers or other sensitive fields to the agent or remote service. Overall the set of credentials/fields requested is plausible for the stated purpose but the apiBase override and the 'paste config into chat' step create an exfiltration vector.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to alter other skills or system-wide agent configs. It only reads files in its own directory (config.json and local HTML files). It does require the agent (or user) to write config.json into the skill directory, which is normal for local configuration but is an action that stores data on disk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-mp-push - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-mp-push触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.3
chore: sync (v3.0.3)
v3.0.2
chore: sync (v3.0.2)
v3.0.1
chore: sync (v3.0.1)
v3.0.0
chore: sync (v3.0.0)
v2.0.1
chore: sync (v2.0.1)
v2.0.0
chore: sync (v2.0.0)
v1.0.26
chore: sync (v1.0.26)
v1.0.25
chore: sync (v1.0.25)
v1.0.23
chore: sync (v1.0.23)
v1.0.22
chore: sync (v1.0.22)
v1.0.21
chore: sync (v1.0.21)
v1.0.19
chore: sync (v1.0.19)
v1.0.18
chore: sync (v1.0.18)
v1.0.16
chore: sync (v1.0.16)
v1.0.15
chore: sync (v1.0.15)
v1.0.13
chore: sync (v1.0.13)
v1.0.12
chore: sync (v1.0.12)
v1.0.11
chore: sync (v1.0.11)
v1.0.10
chore: sync (v1.0.10)
v1.0.9
chore: sync (v1.0.9)
元数据
常见问题
wechat mp push 微信公众号图文生成与推送技能 是什么?
支持通过AI生成符合公众号规范的图文(文章和贴图),并推送到公众号草稿箱,兼容其它SKILL生成的图文、图片进行推送。通过配置向导扫码授权,支持多账号。无需泄露公众号Secret密钥,无需配置公众号IP白名单。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 463 次。
如何安装 wechat mp push 微信公众号图文生成与推送技能?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-mp-push」即可一键安装,无需额外配置。
wechat mp push 微信公众号图文生成与推送技能 是免费的吗?
是的,wechat mp push 微信公众号图文生成与推送技能 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
wechat mp push 微信公众号图文生成与推送技能 支持哪些平台?
wechat mp push 微信公众号图文生成与推送技能 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 wechat mp push 微信公众号图文生成与推送技能?
由 lihengdao(@lihengdao)开发并维护,当前版本 v3.0.3。
推荐 Skills