Is sudoskys/wechat-multi-publisher safe?

https://clawhub.ai/sudoskys/wechat-multi-publisher

94
SAFE

This WeChat multi-publisher skill appears to be a legitimate tool for publishing markdown content to WeChat Official Accounts. The main concern is an obfuscated script file that prevents thorough code review, but no active malicious behavior was detected during installation.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Binary/Obfuscated Script File -20

The main script file (scripts/publish.mjs) appears to contain binary content or is obfuscated, making code review difficult. While this doesn't indicate immediate malicious intent, it prevents proper security analysis of the core functionality.

INFO External API Credentials Required -15

The skill requires WeChat API credentials (WECHAT_APP_ID and WECHAT_APP_SECRET) which could be a target for credential theft if the skill were compromised. However, this is expected functionality for a WeChat publishing tool.

LOW Network Activity During Installation -5

The skill installation involved network connections to external servers, but these appear to be legitimate package installation activities to npm/CDN servers.