← 返回 Skills 市场
105
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install wechat-publisher-auto
功能描述
微信公众号文章发布工具,支持 Markdown 转换、AI 去痕、多主题
安全使用建议
What to check before installing: 1) Verify the source: SKILL.md suggests pip installing from a GitHub repo—confirm the repository and commit integrity before installing. 2) Expect to provide sensitive credentials: you will need WeChat AppID/AppSecret and (optionally) an AI provider API key—store these only where you intend. 3) Beware ~/.openclaw/.env auto-loading: the provided shell script and config code will load ~/.openclaw/.env if present (the shell script 'source's it and exports all variables). That can expose unrelated secrets in that file to the publishing process. If you keep other tokens in ~/.openclaw/.env, remove them or run the tool in an isolated environment. 4) Review network behavior: the converter can optionally call external conversion APIs and the humanizer will call configured AI provider endpoints—if you enable those, article text and images may be transmitted off-host. 5) If you need higher assurance: inspect platforms/wechat.py to confirm it only talks to official WeChat endpoints and that no unexpected remote endpoints are hard-coded; ask the maintainer to update registry metadata to declare required env vars and to stop implicitly sourcing ~/.openclaw/.env. If the maintainer provides those clarifications or removes the auto-load behavior, this assessment could be upgraded to benign.
功能分析
Type: OpenClaw Skill
Name: wechat-publisher-auto
Version: 0.1.2
The skill bundle contains a high-risk Shell Injection vulnerability in 'scripts/publish.sh' due to the use of 'eval' on a command string constructed from user-supplied file paths. While the core logic in 'src/wechat_publisher/' appears to be a legitimate utility for converting Markdown and publishing to the WeChat API, the insecure shell script wrapper is a significant flaw. Additionally, the 'AI Humanizer' feature ('src/wechat_publisher/humanizer/') intentionally sends article content to third-party AI providers (e.g., OpenAI, Qwen), which is consistent with its stated purpose but constitutes external data transmission of potentially sensitive content.
能力评估
Purpose & Capability
The name/description (WeChat publisher: Markdown→HTML, AI de-identification, themes, publish to WeChat) aligns with the included code and CLI. However the registry metadata claims no required environment variables or config paths while the SKILL.md and code clearly expect WeChat credentials (AppID/AppSecret) and optional AI API keys—this mismatch is an incoherence in declared requirements.
Instruction Scope
Runtime instructions and the provided scripts/CLI are focused on conversion and publishing. However the bash helper (scripts/publish.sh) and Python config code will automatically load environment variables from ~/.openclaw/.env when present. That file is external to the skill and may contain unrelated secrets; auto-loading it widens the agent's data surface implicitly. The skill also supports fetching remote CSS and (optionally) using external conversion APIs or AI providers (expected), which will transmit article content to remote endpoints if enabled.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs pip install from a GitHub repo. Packaging appears standard (pyproject.toml). This is a normal install path; nothing like arbitrary binary downloads or opaque installers were present in the manifest. Verify the GitHub repo/source before installing.
Credentials
The skill legitimately needs WeChat AppID/AppSecret and (optionally) AI API credentials. But the registry metadata did not declare required env vars/config paths. More importantly, the code explicitly reads ~/.openclaw/.env (and the shell script will source it), which can import arbitrary environment variables from the OpenClaw environment into the process—potentially exposing unrelated tokens/config to the skill. The skill only reads specific keys from that file (WECHAT_*/AI_*), but the shell sourcing behavior exports all variables globally to the process.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges. It stores a config under ~/.wechat-publish-pro/ (normal) and does not appear to modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-publisher-auto - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-publisher-auto触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
修复模板:1. HR分割线处理顺序调整(---不会变成列表);2. ol_style左对齐;3. li_style左对齐
v0.1.1
- Updated documentation: removed metadata, name, version, and other config headers from SKILL.md for a cleaner and more user-focused presentation.
- No functional or code changes; update is documentation only.
v0.1.0
wechat-publisher-auto v0.1.0
- Initial release of the skill.
- Enables one-click publishing of Markdown or HTML articles to WeChat Official Account drafts.
- Features Markdown-to-HTML conversion, multiple themes, code highlighting, and AI humanization (去痕).
- Pure Python implementation; does not require external CLI tools.
- Includes commands for publishing, theme selection, AI provider setup, image uploads, and connection testing.
- Supports flexible configuration via environment variables or config files.
元数据
常见问题
微信公众号发布工具 是什么?
微信公众号文章发布工具,支持 Markdown 转换、AI 去痕、多主题. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。
如何安装 微信公众号发布工具?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-publisher-auto」即可一键安装,无需额外配置。
微信公众号发布工具 是免费的吗?
是的,微信公众号发布工具 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
微信公众号发布工具 支持哪些平台?
微信公众号发布工具 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 微信公众号发布工具?
由 yuesf(@yuesf)开发并维护,当前版本 v0.1.2。
推荐 Skills