WeChat Publisher With WeMD Render

微信公众号发文自动化 skill。覆盖 Markdown 排版渲染（12 种内置主题 + 自定义主题）、正文图片上传、封面上传、草稿创建/更新/预览、人工确认发布、发布状态查询、素材/草稿/已发布文章查询。Use when agent needs to help write or publish 公众号文章, o...

This skill largely does what it says (render Markdown with WeMD and call WeChat APIs) but has a few inconsistencies and runtime risks you should consider before installing: - Credentials: The code requires WECHAT_APP_ID and WECHAT_APP_SECRET (wechat_client.require_env), but the skill metadata does not declare them. Expect to provide those credentials; verify they are stored and scoped appropriately. - .env file reads: The loader looks at /root/.openclaw/.env and the skill's .env. That can pull unrelated secrets from a host-wide file. Prefer providing only the WeChat credentials (as environment variables scoped to the skill or agent) rather than letting the skill read host /root/.openclaw/.env. - Runtime network installs: On first run setup.py will run npm install and git clone a GitHub repo and build code. This downloads and executes third-party code at runtime. If you want to limit exposure, run the skill in a sandbox/container or pre-run the setup in an isolated environment and inspect the downloaded files. - File access: The skill will read local markdown and image files you point it to (content_markdown_path, thumb_image_path). Make sure you trust the environment and don't point it at directories containing unrelated secrets. - Patch behavior: setup.py patches node modules (writes files into node_modules), which is non-trivial. Review the install output or perform installation in an isolated environment. Actionable steps before using: 1) Inspect/verify WECHAT_APP_ID/SECRET handling and place them in a controlled environment (not a system-wide .env). 2) Run setup/install inside a container and audit the cloned WeMD code. 3) Confirm the skill's registry metadata is updated to list the required env vars (WECHAT_APP_ID and WECHAT_APP_SECRET). 4) If you cannot isolate, do not install — at minimum, review vendor/wemd and setup.py behavior and ensure you understand the runtime network and file writes.

Type: OpenClaw Skill Name: wechat-publisher-wemd Version: 0.1.0 The skill bundle provides a comprehensive toolset for automating WeChat Official Account publishing, including Markdown rendering via the WeMD engine, image uploading, and draft management. It includes strong safety instructions in SKILL.md and references/safety-rules.md, explicitly requiring manual confirmation before publishing and prohibiting the exposure of credentials. While scripts/setup.py performs high-risk actions like 'git clone' and 'npm install' to initialize the rendering engine, and scripts/manage_themes.py contains a potential path traversal vulnerability in theme naming, these behaviors are aligned with the stated purpose of the skill and do not show evidence of malicious intent.