wechat-publisher Security Report — Low Risk | ClawSafe

22 /100

wechat-publisher

微信公众号发布技能 - 自动发布 AI 新闻到微信公众号草稿箱

Legitimate WeChat publishing skill with exposed example credentials in documentation (likely test/dev credentials, not actual malicious infrastructure). No code execution, credential theft, or data exfiltration patterns detected.

Skill Namewechat-publisher

Duration54.9s

Enginepi

✓

Safe to install

Replace hardcoded example credentials in documentation with placeholder text. Consider removing real-looking test credentials from docs. The skill itself is safe but documentation hygiene needs improvement.

Findings 2 items

Severity	Finding	Location
Medium	Exposed credentials in documentation Doc Mismatch Multiple documentation files contain what appear to be real WeChat AppID (wxebff9eadface1489) and AppSecret (44c10204ceb1bfb3f7ac096754976454) as examples. These look like test/dev credentials and are exposed across install-guide.md, troubleshooting.md, user_guide.md, and skill.md. `AppID: wxebff9eadface1489 AppSecret: 44c10204ceb1bfb3f7ac096754976454` → Replace with clearly marked placeholders like YOUR_APP_ID and YOUR_APP_SECRET	`docs/install-guide.md:111`
Low	Hardcoded example IP address Doc Mismatch IP address 123.45.67.89 appears as an example in install-guide.md:151. This appears to be documentation placeholder rather than actual C2 infrastructure. `"query": "123.45.67.89"` → Replace with a clearly fictional IP or generic placeholder text	`docs/install-guide.md:151`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Creates memory/, templates/, reads config/default.json
Network	`READ`	`WRITE`	✓ Aligned	Makes API calls to api.weixin.qq.com for publishing
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`READ`	✓ Aligned	Only reads WECHAT_APP_SECRET, not enumerating all env vars

1 High 18 findings

📡

High IP Address 硬编码 IP 地址

123.45.67.89

docs/install-guide.md:151

🔗

Medium External URL 外部 URL

https://mmbiz.qpic.cn/mmbiz_jpg/

docs/block-layout.md:91

🔗

Medium External URL 外部 URL

https://mp.weixin.qq.com/

docs/install-guide.md:111

🔗

Medium External URL 外部 URL

http://ip-api.com/json/

docs/install-guide.md:142

🔗

Medium External URL 外部 URL

https://clawhub.com/skill/wechat-publisher

docs/install-guide.md:382

🔗

Medium External URL 外部 URL

https://ip-api.com/

docs/troubleshooting.md:46

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/

docs/troubleshooting.md:296

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

docs/troubleshooting.md:390

🔗

Medium External URL 外部 URL

https://deb.nodesource.com/setup_16.x

docs/user_guide.md:101

🔗

Medium External URL 外部 URL

https://clawhub.com

docs/user_guide.md:144

🔗

Medium External URL 外部 URL

https://mp.weixin.qq.com

docs/user_guide.md:179

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

docs/user_guide.md:447

🔗

Medium External URL 外部 URL

https://discord.gg/clawd

docs/user_guide.md:526

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token

scripts/publish.py:146

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/draft/add

scripts/publish.py:283

📧

Info Email 邮箱地址

[email protected]

docs/install-guide.md:219

📧

Info Email 邮箱地址

[email protected]

docs/user_guide.md:527

📧

Info Email 邮箱地址

[email protected]

skill.md:7

File Tree

12 files · 83.8 KB · 3042 lines

Markdown 9f · 2547L Python 1f · 414L HTML 1f · 68L JSON 1f · 13L

├─ ▾ 📁 config

│ └─ 📋 default.json JSON 13L · 242 B

├─ ▾ 📁 docs

│ ├─ 📝 block-layout.md Markdown 139L · 3.1 KB

│ ├─ 📝 install-guide.md Markdown 400L · 8.0 KB

│ ├─ 📝 publish-rules.md Markdown 188L · 4.7 KB

│ ├─ 📝 templates.md Markdown 279L · 7.0 KB

│ ├─ 📝 troubleshooting.md Markdown 404L · 9.2 KB

│ ├─ 📝 user_guide.md Markdown 532L · 15.5 KB

│ └─ 📝 user-guide.md Markdown 311L · 6.9 KB

├─ ▾ 📁 scripts

│ └─ 🐍 publish.py Python 414L · 16.6 KB

├─ ▾ 📁 templates

│ └─ 📄 v5-simple.html HTML 68L · 4.5 KB

├─ 📝 changelog.md Markdown 80L · 2.2 KB

└─ 📝 skill.md Markdown 214L · 5.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned but widely-used library

Security Positives

✓ No subprocess or shell execution found in code

✓ No base64 encoding or obfuscation detected

✓ No credential harvesting (doesn't iterate through all environment variables)

✓ No data exfiltration or C2 communication

✓ No reverse shell or remote code execution

✓ No persistence mechanisms (no cron/scheduled tasks in code)

✓ No prompt injection or hidden instructions

✓ Uses legitimate WeChat official APIs

✓ Dependencies are standard (requests library only)

✓ No malicious supply chain indicators

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives