Is 0731coderlee-sudo/wechat-publisher safe?

https://github.com/openclaw/skills/tree/main/skills/0731coderlee-sudo/wechat-publisher

81
SAFE

This skill is a legitimate WeChat article publishing wrapper around the wenyan-cli tool. It contains no prompt injection, hidden instructions, or malicious code. The primary concerns are the auto-installation of a global npm package without explicit user consent (supply chain risk) and the credential-reading pattern from TOOLS.md, both of which are functional requirements but warrant user awareness.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Auto-installs global npm package without user confirmation -28

publish.sh automatically runs 'npm install -g @wenyan-md/cli' if wenyan is not found. This installs a third-party package globally without explicit user consent, creating a supply chain attack vector. If the npm package @wenyan-md/cli or any of its dependencies are compromised, the user's entire system could be affected.

MEDIUM Scripts read API credentials from TOOLS.md via grep extraction -15

Both publish.sh and setup.sh grep TOOLS.md for WECHAT_APP_ID and WECHAT_APP_SECRET, extracting credentials and exporting them as environment variables. While this is the skill's intended purpose, it establishes a credential-reading pattern. The credentials are then used to authenticate with WeChat's API.

LOW Hardcoded author-specific filesystem paths leaked -5

SKILL.md and scripts contain hardcoded paths specific to the author's machine (/Users/leebot/.openclaw/workspace/, /Users/bruce/photos/). This reveals information about the author's system and could confuse the agent into referencing non-existent paths on the user's machine.

LOW Troubleshooting instructs IP address disclosure -5

The troubleshooting documentation instructs users to run 'curl ifconfig.me' to obtain their public IP address. While needed for WeChat IP whitelisting, this sends a request to a third-party service that logs the user's IP.

LOW Skill instructs agent to execute shell commands and install packages -10

SKILL.md contains numerous bash code blocks that an LLM agent would be expected to execute, including global npm installs, environment variable exports, and wenyan CLI commands. While expected for the skill's functionality, this grants broad shell execution scope to the skill's instructions.

LOW Article content sent to external WeChat API endpoint -5

The core functionality sends the user's Markdown article content, images, and metadata to WeChat's API servers (api.weixin.qq.com). This is the skill's stated purpose but means user-generated content leaves the local machine.

INFO External documentation URLs referenced -5

SKILL.md references multiple external URLs for documentation purposes: wenyan GitHub, WeChat developer docs, yuzhi.tech configuration guide. All appear to be legitimate documentation links with no fetch-and-execute patterns.