baoyu-post-to-wechat

[Skill Scanner] Backtick command substitution detected Functionally coherent with described purpose (posting to WeChat). No clear malicious code patterns or external exfiltration to unknown domains were found in the described workflow. Main security concerns: guidance to persist AppID/AppSecret in project-level .env (risk of accidental git commit), and the browser/CDP method requiring access to a Chrome profile which can expose other session data. Treat credential storage and Chrome profile usage with caution (use user-level secure storage, .gitignore, and dedicated profiles). LLM verification: This SKILL.md is functionally consistent with its stated purpose (posting to WeChat) and most filesystem/network operations described are reasonable for that purpose. However, there are notable security concerns: the skill requests/encourages use of a full Chrome profile (which can expose cookies and saved credentials), it lacks explicit, secure handling/storage instructions for WeChat credentials, and it recommends running scripts via npx -y which can introduce supply-chain risk if sources are