← 返回 Skills 市场
wx-mp-push
作者
onceyoungs
· GitHub ↗
· v1.0.0
· MIT-0
92
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wx-mp-push
功能描述
自动化微信公众号文章发布,通过 API 创建和管理文章草稿,支持 Markdown 和 HTML 两种输入格式,自动 MD→HTML 转换,支持封面图和正文图片自动上传。用于:发布文章到公众号、创建内容草稿、自动化内容工作流、或设置定时发布系统。
安全使用建议
This skill appears to implement the advertised WeChat article-publishing features, but proceed with caution: 1) It expects you to put AppID/AppSecret into config.json — keep that file private and do not check it into source control. 2) The publish script will scan article HTML for <img src="..."> and will open local files (relative or absolute) and upload them to WeChat; if the HTML contains paths to sensitive files (e.g., /etc/… or other local secrets) those files could be read and sent to an external service. Don't run this on machines containing sensitive data unless you inspect the code and control the content it processes. 3) Documentation has contradictions about handling external URLs — verify whether external remote images are fetched and re-uploaded. 4) Review the script (publish_article.py) yourself, run it in an isolated environment (or with a test account) first, and restrict where config.json and the token cache are stored. If you want a safer setup, provide only sanitized content (no absolute paths), or run the tool in a container with limited filesystem visibility and network access. If you want, I can point out specific lines in publish_article.py that perform file reads and uploads so you can inspect them more closely.
功能分析
Type: OpenClaw Skill
Name: wx-mp-push
Version: 1.0.0
The skill is a functional WeChat article publisher but contains a Server-Side Request Forgery (SSRF) vulnerability in 'scripts/publish_article.py'. The '_download_url_to_temp' function fetches content from arbitrary URLs provided in the article content without validation, which could be exploited to access internal network resources. Additionally, the script handles sensitive WeChat credentials (AppID/AppSecret) and stores access tokens locally in plaintext, which are risky but necessary capabilities for its stated purpose. No evidence of intentional malice or data exfiltration was found.
能力评估
Purpose & Capability
Name/description align with what is provided: a Python script that converts Markdown to WeChat-friendly HTML, manages access tokens, uploads images, and creates drafts via the WeChat API. The required credentials (AppID/AppSecret) are stored in a local config.json file, which is proportionate to the stated functionality.
Instruction Scope
Runtime instructions and the script will scan HTML for <img> src attributes and will open/read local files (relative or absolute) referenced there and upload them to WeChat. Because user-supplied HTML can include arbitrary local paths, this behavior could cause inadvertent reading and uploading of sensitive local files. The docs are also inconsistent about handling external URLs (some places say external URLs are kept, other examples imply external images may be uploaded), increasing risk of unexpected network I/O.
Install Mechanism
No install spec; the skill is instruction + script only. It uses Python and a single dependency (httpx) which is reasonable and low-risk compared with arbitrary downloads.
Credentials
No platform environment variables are requested. Secrets are expected in config.json (appId/appSecret). That is proportionate, but storing AppSecret in a plaintext config file and the script caching tokens under .tokens should be noted as a local secret storage decision that the user must manage securely.
Persistence & Privilege
Skill is not always-enabled and is user-invocable (normal). However, because the script can read local files referenced by content and upload them externally, allowing autonomous invocation or running in an environment with sensitive files increases the blast radius; consider invocation controls and sandboxing.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wx-mp-push - 安装完成后,直接呼叫该 Skill 的名称或使用
/wx-mp-push触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
wx-mp-push 1.0.0 – Initial Release
- Automates publishing articles to WeChat Official Accounts via API.
- Supports both Markdown and HTML input, with built-in Markdown-to-WeChat-HTML conversion.
- Automatically manages images: detects, uploads, and replaces cover and content image URLs.
- Offers multi-account support and secure access token management.
- Includes command-line tools for direct, scheduled, and workflow-integrated publishing.
- Provides comprehensive guides for configuration, error troubleshooting, and best security practices.
元数据
常见问题
wx-mp-push 是什么?
自动化微信公众号文章发布,通过 API 创建和管理文章草稿,支持 Markdown 和 HTML 两种输入格式,自动 MD→HTML 转换,支持封面图和正文图片自动上传。用于:发布文章到公众号、创建内容草稿、自动化内容工作流、或设置定时发布系统。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 wx-mp-push?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wx-mp-push」即可一键安装,无需额外配置。
wx-mp-push 是免费的吗?
是的,wx-mp-push 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
wx-mp-push 支持哪些平台?
wx-mp-push 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 wx-mp-push?
由 onceyoungs(@onceyoungs)开发并维护,当前版本 v1.0.0。
推荐 Skills