zhy-wechat-publish Security Report — Trusted | ClawSafe

0 /100

zhy-wechat-publish

微信公众号草稿箱发布技能，支持自动封面生成、CSS兼容、正文图片上传

This is a legitimate WeChat Official Account draft publishing tool. All capabilities are properly declared, network traffic is limited to WeChat's official API, and no malicious behavior is present.

Skill Namezhy-wechat-publish

Duration25.3s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure the .env file is created locally and credentials are not committed to version control.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md line: Article/HTML file reading is declared and documented
Network	`READ`	`READ`	✓ Aligned	All network calls to api.weixin.qq.com only, documented in SKILL.md
Shell	`WRITE`	`WRITE`	✓ Aligned	spawnSync('bun') and spawnSync('node') declared in SKILL.md and scripts/publish_…
Environment	`READ`	`READ`	✓ Aligned	.env credential loading documented in SKILL.md

4 findings

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$

scripts/upload_image.js:70

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/material/add_material?access_token=$

scripts/upload_image.js:79

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/draft/add?access_token=$

scripts/wechat_draft.js:135

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/media/uploadimg?access_token=$

scripts/wechat_draft.js:316

File Tree

5 files · 39.7 KB · 1208 lines

JavaScript 3f · 963L Markdown 2f · 245L

├─ ▾ 📁 scripts

│ ├─ 📜 publish_with_cover.js JavaScript 297L · 9.8 KB

│ ├─ 📜 upload_image.js JavaScript 201L · 6.9 KB

│ └─ 📜 wechat_draft.js JavaScript 465L · 16.0 KB

├─ 📝 README.md Markdown 111L · 2.0 KB

└─ 📝 SKILL.md Markdown 134L · 4.8 KB

Security Positives

✓ All capabilities properly declared in SKILL.md — no doc-to-code mismatch

✓ Network calls exclusively to official WeChat API (api.weixin.qq.com) — no exfiltration

✓ spawnSync uses shell:false — prevents arbitrary shell injection

✓ No base64, eval, or obfuscation techniques found

✓ No credential harvesting — credentials used only for WeChat API auth

✓ No sensitive path access (~/.ssh, ~/.aws, .env secrets) beyond documented .env loading

✓ Zero external script downloads (no curl|bash, no wget|sh)

✓ Credentials never leave the system except as Bearer tokens to WeChat's official API

Scan Report

File Tree

Security Positives