wechat-style-publisher Security Report — Trusted | ClawSafe

5 /100

wechat-style-publisher

多账号微信公众号文章发布工具，支持主题化HTML和模板变量

Legitimate WeChat Official Account article publishing tool with no malicious behavior detected.

Skill Namewechat-style-publisher

Duration33.3s

Enginepi

✓

Safe to install

No action required. The skill performs standard WeChat API operations for article publishing.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	set-config.mjs writes to config files; apply-style.mjs writes output HTML
Network	`READ`	`READ`	✓ Aligned	All network calls go to official WeChat API (api.weixin.qq.com)
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution found

1 findings

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com

assets/config.example.json:4

File Tree

15 files · 75.6 KB · 1661 lines

JavaScript 5f · 937L Python 2f · 555L JSON 3f · 75L Markdown 1f · 49L CSS 1f · 36L HTML 2f · 8L Text 1f · 1L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 templates

│ │ ├─ 📄 intro.html HTML 4L · 163 B

│ │ └─ 📄 outro.html HTML 4L · 196 B

│ ├─ 📋 config.example.json JSON 53L · 1.8 KB

│ ├─ 📄 custom-overrides.css CSS 36L · 556 B

│ └─ 📋 template-variables.example.json JSON 3L · 22 B

├─ ▾ 📁 lib

│ └─ 📜 style.mjs JavaScript 282L · 20.3 KB

├─ ▾ 📁 scripts

│ ├─ 📜 apply-style.mjs JavaScript 79L · 2.4 KB

│ ├─ 📜 import-template-node.mjs JavaScript 247L · 7.4 KB

│ ├─ 🐍 import-template-python.py Python 236L · 9.9 KB

│ ├─ 📜 publish-node.mjs JavaScript 241L · 8.9 KB

│ ├─ 🐍 publish-python.py Python 319L · 19.3 KB

│ └─ 📜 set-config.mjs JavaScript 88L · 2.2 KB

├─ 📋 package.json JSON 19L · 454 B

├─ 📄 requirements.txt Text 1L · 15 B

└─ 📝 SKILL.md Markdown 49L · 2.0 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`highlight.js`	`^11.11.1`	npm	No	Caret range - accepts minor updates
`juice`	`^11.0.3`	npm	No	Caret range - accepts minor updates
`httpx`	`>=0.27,<1`	pip	No	Version range without upper bound pinning

Security Positives

✓ All network traffic goes to official WeChat API endpoints

✓ No credential exfiltration - appId/appSecret used only for WeChat API authentication

✓ No obfuscated code or base64-encoded payloads

✓ No subprocess/shell execution patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Clean codebase with no hidden functionality

✓ Token caching is local-only and within expected scope

✓ Dependencies (highlight.js, juice, httpx) are well-known legitimate libraries

Scan Report

File Tree

Dependencies 3 items

Security Positives