Latest release: v0.2.0Download zip
Capabilities
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The plugin and sub-skill artifacts coherently target WeChat Official Account article typesetting, illustration, draft/material management, and publishing workflows, but those workflows inherently involve external APIs, credentials, and account mutations.
Instruction Scope
The HTML submission path automatically uploads every local image reference it extracts from HTML, including file:// or absolute/relative paths, without a required per-file approval or path boundary.
Install Mechanism
There is no install spec, but the skill documentation instructs user-run Python/uv workflows and includes version-range dependencies; this is not hidden or automatic, but users should review dependency installation.
Credentials
External provider use is expected, but the local-file-to-WeChat upload behavior is broader than ordinary selected-file upload because HTML content can determine which local paths are read and uploaded.
Persistence & Privilege
The skill can create persistent WeChat drafts/materials and manage published content; publish and several delete flows require exact-ID confirmation, but permanent material deletion lacks the same explicit confirmation in the provided code.
Scan Findings in Context
[suspicious.exposed_secret_literal] unexpected: The supplied illustrate.py does not show a hardcoded secret; it passes args.openrouter_api_key to the client and otherwise reads OPENROUTER_API_KEY, so this specific static hit appears unsupported by the provided source.
[suspicious.potential_exfiltration] expected: api.py base64-encodes user-specified reference images for OpenRouter image generation, and provider.md/SKILL.md disclose that local reference images are encoded as data URLs; this specific OpenRouter path is purpose-aligned.
What to consider before installing
Review the full package before giving it real WeChat or OpenRouter credentials. Use trusted article HTML only, run the inspection/dry-run step, check every local image path before upload, avoid file:// references, and require explicit confirmation for any publish or deletion operation.skills/wechat-mp-illustrate/scripts/illustrate.py:69
File appears to expose a hardcoded API secret or token.
skills/wechat-mp-illustrate/scripts/api.py:141
Python code base64-encodes a local file and sends it over the network.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.