zhy-wechat-publish 安全扫描报告 — 可信 | ClawSafe

0 /100

zhy-wechat-publish

微信公众号草稿箱发布技能，支持自动封面生成、CSS兼容、正文图片上传

This is a legitimate WeChat Official Account draft publishing tool. All capabilities are properly declared, network traffic is limited to WeChat's official API, and no malicious behavior is present.

技能名称zhy-wechat-publish

分析耗时25.3s

引擎pi

✓

可以安装

This skill is safe to use. Ensure the .env file is created locally and credentials are not committed to version control.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md line: Article/HTML file reading is declared and documented
网络访问	`READ`	`READ`	✓ 一致	All network calls to api.weixin.qq.com only, documented in SKILL.md
命令执行	`WRITE`	`WRITE`	✓ 一致	spawnSync('bun') and spawnSync('node') declared in SKILL.md and scripts/publish_…
环境变量	`READ`	`READ`	✓ 一致	.env credential loading documented in SKILL.md

4 项发现

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$

scripts/upload_image.js:70

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/material/add_material?access_token=$

scripts/upload_image.js:79

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/draft/add?access_token=$

scripts/wechat_draft.js:135

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/media/uploadimg?access_token=$

scripts/wechat_draft.js:316

目录结构

5 文件 · 39.7 KB · 1208 行

JavaScript 3f · 963L Markdown 2f · 245L

├─ ▾ 📁 scripts

│ ├─ 📜 publish_with_cover.js JavaScript 297L · 9.8 KB

│ ├─ 📜 upload_image.js JavaScript 201L · 6.9 KB

│ └─ 📜 wechat_draft.js JavaScript 465L · 16.0 KB

├─ 📝 README.md Markdown 111L · 2.0 KB

└─ 📝 SKILL.md Markdown 134L · 4.8 KB

安全亮点

✓ All capabilities properly declared in SKILL.md — no doc-to-code mismatch

✓ Network calls exclusively to official WeChat API (api.weixin.qq.com) — no exfiltration

✓ spawnSync uses shell:false — prevents arbitrary shell injection

✓ No base64, eval, or obfuscation techniques found

✓ No credential harvesting — credentials used only for WeChat API auth

✓ No sensitive path access (~/.ssh, ~/.aws, .env secrets) beyond documented .env loading

✓ Zero external script downloads (no curl|bash, no wget|sh)

✓ Credentials never leave the system except as Bearer tokens to WeChat's official API