Oathe Security Badge

Is 0731coderlee-sudo/wechat-publisher safe?

https://clawhub.ai/0731coderlee-sudo/wechat-publisher

87
SAFE

This skill appears to be a legitimate wrapper around wenyan-cli for publishing Markdown content to WeChat Official Accounts. The main security concern is the automatic global installation of npm packages, though this is for a legitimate tool.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Global NPM Package Installation -25

The publish.sh script automatically installs @wenyan-md/cli globally via npm if not already present. While this is the legitimate tool the skill wraps, global package installation can pose security risks if the package or npm registry were compromised.

LOW Credential File Access -15

The skill reads WeChat API credentials from TOOLS.md file. This is legitimate for the skill's intended functionality but requires users to store sensitive credentials in a specific location.

LOW Hardcoded File Paths -10

The skill references specific hardcoded file paths in its documentation, which could potentially be used to influence agent behavior, though no malicious intent is apparent.