Is wechat-multi-publisher safe?
https://clawhub.ai/x402spark-jpg/wechat-multi-publisher
This WeChat publishing skill is functionally legitimate but carries moderate risk due to an unpinned npm dependency (@wenyan-md/core) that could serve as a supply chain attack vector, an unauditable publish.mjs script whose source was not captured in evidence, and credential handling patterns that normalize access to API secrets. No prompt injection, canary file tampering, or malicious clone-time behavior was detected.
Category Scores
Findings (10)
HIGH Unpinned npm dependency installation -35 ▶
The skill instructs the agent to run npm install @wenyan-md/core without any version pinning or integrity checks. This npm package could contain malicious preinstall/postinstall scripts that execute arbitrary code during installation. No package.json or lockfile is provided to constrain the dependency.
HIGH Executable script without full source audit -25 ▶
The skill includes scripts/publish.mjs which is designed to be executed via node scripts/publish.mjs. While the file is listed in the skill files inventory, its full source code was not included in the evidence collection under 'All Source Code', making it impossible to verify the script doesn't contain malicious behavior.
MEDIUM Credential access pattern exposes sensitive data -25 ▶
The skill explicitly instructs reading WeChat API credentials from environment variables (WECHAT_APP_ID, WECHAT_APP_SECRET) and from ~/.config/wechat-mp/credentials.json. While necessary for the skill's function, this teaches the agent exactly where secrets are stored and normalizes credential file access patterns.
MEDIUM Local file upload to external CDN -20 ▶
The inline image feature reads local PNG/JPG files and uploads them to WeChat CDN. An agent could be socially engineered or prompt-injected into uploading sensitive local files (screenshots, documents) disguised as article images.
MEDIUM Public IP exposure instruction -10 ▶
The setup guide instructs running curl ifconfig.me to check the server's public IP. While benign in context, this leaks infrastructure information to an external service.
MEDIUM Immediate publish flag bypasses review -20 ▶
The --publish flag triggers immediate public posting to WeChat without a draft review step. An agent following skill instructions could publish content the user didn't intend to make public, especially if triggered by ambiguous prompts.
LOW Broad activation description increases accidental trigger risk -15 ▶
The skill description contains many activation phrases in both English and Chinese ('push Markdown files to WeChat MP', 'publish to 公众号草稿箱', 'schedule WeChat articles', 'automate public account content delivery'), increasing the chance of accidental activation when the user is discussing WeChat topics without intending to publish.
LOW Overly detailed description in frontmatter -15 ▶
The skill description in the YAML frontmatter is unusually long and detailed, listing many activation phrases. While not malicious, this aggressive prompt surface maximizes the chance the agent activates this skill.
INFO Network connections during clone are system-level only 0 ▶
All observed network connections during installation (185.125.188.54 = Canonical/Ubuntu, 216.150.1.1 = likely DNS/infrastructure, mDNS on port 5353) are attributable to system processes, not the skill itself.
INFO System file reads are from OS login process 0 ▶
The /etc/passwd, /etc/shadow, /etc/pam.d/* reads in filesystem monitoring are from gdm-session-worker (GDM auto-login process), not from the skill installation.