Scan Report
15 /100
bozo-wechat-publisher
一键发布 Markdown 文章到微信公众号草稿箱
Legitimate WeChat publishing skill with documented shell execution for npm packages and credential management. Minor concerns include unpinned npm versions but no malicious indicators found.
Safe to install
Approve for use. Consider pinning npm package versions for better reproducibility. Ensure TOOLS.md credential file has appropriate file permissions (600).
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | npm package versions not pinned Supply Chain | scripts/publish.sh:26 |
| Info | TOOLS.md credential access pattern Doc Mismatch | scripts/setup.sh:16 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md line 47: 'npm install -g @wenyan-md/cli' |
| Network | READ | READ | ✓ Aligned | Scripts only connect to api.weixin.qq.com (WeChat official API) |
| Filesystem | READ | READ | ✓ Aligned | Scripts read Markdown files and TOOLS.md |
| Environment | READ | READ | ✓ Aligned | Scripts read WECHAT_APP_ID/SECRET from environment or TOOLS.md |
20 findings
Medium External URL 外部 URL
https://mp.weixin.qq.com/ MIGRATION.md:44 Medium External URL 外部 URL
https://deb.nodesource.com/setup_18.x MIGRATION.md:54 Medium External URL 外部 URL
https://nodejs.org/dist/v18.20.2/node-v18.20.2-x64.msi MIGRATION.md:77 Medium External URL 外部 URL
https://ifconfig.me/ MIGRATION.md:88 Medium External URL 外部 URL
https://via.placeholder.com/1080x864 MIGRATION.md:151 Medium External URL 外部 URL
https://registry.npmmirror.com MIGRATION.md:268 Medium External URL 外部 URL
https://developers.weixin.qq.com/doc/offiaccount/ MIGRATION.md:305 Medium External URL 外部 URL
https://nodejs.org/dist/v18.20.2/ README.md:78 Medium External URL 外部 URL
https://openclaw.ai README.md:292 Medium External URL 外部 URL
https://myblog.com/original-post SKILL.md:460 Medium External URL 外部 URL
https://wenyan.yuzhi.tech SKILL.md:541 Medium External URL 外部 URL
https://www.slas.cc example.md:6 Medium External URL 外部 URL
https://myblog.com/post example.md:116 Medium External URL 外部 URL
https://cdn.example.com/cover.jpg example.md:190 Medium External URL 外部 URL
https://yuzhi.tech/docs/wenyan/upload references/troubleshooting.md:29 Medium External URL 外部 URL
https://api.weixin.qq.com references/troubleshooting.md:246 Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/token scripts/publish-card-theme-v2.sh:26 Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/stable_token scripts/publish-card-theme-v2.sh:27 Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/material/add_material scripts/publish-card-theme-v2.sh:28 Medium External URL 外部 URL
https://api.weixin.qq.com/cgi-bin/draft/add scripts/publish-card-theme-v2.sh:29 File Tree
18 files · 113.1 KB · 4539 lines Markdown 7f · 2152L
Shell 7f · 1565L
HTML 2f · 719L
JSON 2f · 103L
├─
▾
references
│ ├─
themes.md
Markdown
│ └─
troubleshooting.md
Markdown
├─
▾
scripts
│ ├─
debug-publish.sh
Shell
│ ├─
publish-card-theme-v2.sh
Shell
│ ├─
publish-card-theme.sh
Shell
│ ├─
publish-curl.sh
Shell
│ ├─
publish.sh
Shell
│ ├─
setup.sh
Shell
│ └─
use-theme.sh
Shell
├─
▾
themes
│ ├─
card-neon-light.html
HTML
│ ├─
card-tech-dark.html
HTML
│ └─
theme-config.json
JSON
├─
_meta.json
JSON
├─
example.md
Markdown
├─
MIGRATION.md
Markdown
├─
README.md
Markdown
├─
SKILL.md
Markdown
└─
THEME_GUIDE.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@wenyan-md/cli | * | npm | No | Version not pinned, installed globally |
Security Positives
✓ All network requests go to official WeChat API (api.weixin.qq.com)
✓ No base64-encoded execution or obfuscation detected
✓ No credential exfiltration - credentials used only for WeChat API authentication
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No reverse shell, C2 communication, or data theft patterns
✓ Documentation accurately describes functionality
✓ Shell commands are necessary for the legitimate purpose (npm package installation)