← 返回 Skills 市场
279458179

wxgzh-mcp

作者 xiaohuozi · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
70
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wxgzh-mcp
功能描述
微信公众号草稿创建与管理技能,支持图片上传、创建草稿、发布等操作。需配置 AppID、AppSecret、白名单 IP。
安全使用建议
This skill appears to implement the advertised WeChat draft and media features, but review these before installing: 1) Provide AppID/AppSecret only via a secure config.json and do not store the file in an unsecured/shared folder; the registry metadata did not declare these credentials so verify config handling. 2) The repo includes docker-compose.yml but no Dockerfile in the manifest — docker-compose build may fail; ask the author for the Dockerfile or use the pip-based instructions in README/SKILL.md instead. 3) Running this will start a FastMCP server and (per compose) expose port 8765 — run inside an isolated environment or restrict network access. 4) Verify the fastmcp package source and version before installing (supply-chain risk). 5) If you must run it, do so in a container/VM with limited privileges, keep config.json protected, and avoid mounting host directories with sensitive data.
功能分析
Type: OpenClaw Skill Name: wxgzh-mcp Version: 1.0.0 The skill provides legitimate WeChat Official Account management functionality but contains a significant security vulnerability regarding local file access. The `upload_image` and `upload_thumb` tools in `src/tools/media.py` (implemented in `src/wechat_api.py`) accept arbitrary local file paths and upload the contents to WeChat's servers without any path validation or sandboxing. This allows for potential path traversal attacks where an agent could be coerced into exfiltrating sensitive system files (e.g., credentials or configuration files) by uploading them to the WeChat platform.
能力标签
cryptorequires-oauth-token
能力评估
Purpose & Capability
The code and SKILL.md implement WeChat Official Account draft and media management as advertised (token, upload, create/list/delete/publish drafts). However the registry metadata claims no required credentials/env vars while the runtime requires a config.json containing AppID and AppSecret — the skill expects sensitive credentials but did not declare them in the registry metadata.
Instruction Scope
Runtime instructions stay within the stated purpose (use WeChat APIs, upload images, create drafts). The SKILL.md also instructs querying a public IP service (api.ipify.org) to set a WeChat whitelist — this is expected for WeChat API use. One oddity: docker-compose is provided but SKILL.md primarily shows pip-based local runs; the compose file would mount host config and uploads, which is reasonable but increases surface area.
Install Mechanism
The package is instruction-only (no automated install spec), with a requirements.txt listing fastmcp and requests (expected). However docker-compose.yml references building the image from '.' but no Dockerfile is present in the repository manifest — attempting docker-compose build will likely fail. The inclusion of docker-compose (and a mount of config.json and uploads) without a Dockerfile or clear build instructions is an operational inconsistency.
Credentials
The skill legitimately needs AppID and AppSecret for the WeChat API and expects them in a plaintext config.json or via WECHAT_MCP_CONFIG env var (docker-compose sets this). That access is proportionate to the purpose. Note: registry metadata did not declare required credentials; also the secrets are stored in a config file that the docker-compose mounts from the host (read-only) — users should ensure the file is protected and not placed in a shared location.
Persistence & Privilege
The code runs an MCP server (FastMCP) and docker-compose exposes port 8765. While the skill does not set always: true or modify other skills, starting a network service on the host/container increases attack surface and could expose the tool remotely if deployed without firewalling. This is expected for an MCP service but worth explicit attention.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install wxgzh-mcp
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /wxgzh-mcp 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
wxgzh-mcp 1.0.0 初始发布 - 提供微信公众号草稿文章的创建与管理,包括封面图/正文图片上传、草稿创建、查看、删除及发布等功能 - 支持 access_token 获取与自动缓存 - 需配置 AppID、AppSecret 以及添加本机 IP 至公众号白名单 - 包含详细配置引导与常见问题说明 - 提供分模块源码结构及 Docker 部署支持
元数据
Slug wxgzh-mcp
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

wxgzh-mcp 是什么?

微信公众号草稿创建与管理技能,支持图片上传、创建草稿、发布等操作。需配置 AppID、AppSecret、白名单 IP。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 70 次。

如何安装 wxgzh-mcp?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install wxgzh-mcp」即可一键安装,无需额外配置。

wxgzh-mcp 是免费的吗?

是的,wxgzh-mcp 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

wxgzh-mcp 支持哪些平台?

wxgzh-mcp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 wxgzh-mcp?

由 xiaohuozi(@279458179)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论