mp-weixin-skills

[Skill Scanner] [Documentation context] Installation of third-party script detected Based on the SKILL.md content only, the described capabilities are coherent with the stated purpose: generating HTML/cover images and uploading to WeChat requires the listed credentials and local files. There is no explicit malicious code in this document. However, the absence of the actual implementation (publish.py, wechat/api_client.py, cli.py) prevents verification of critical security details: whether the skill calls official WeChat endpoints, whether credentials are handled safely (not forwarded to third parties), and whether third-party AI/image providers receive full article content. Recommend reviewing the referenced scripts and api_client implementation before trusting or running the skill; specifically verify network endpoints, TLS verification, absence of credential forwarding to unknown domains, and pinned/verified dependencies. LLM verification: [LLM Escalated] From the provided SKILL.md and project layout, this skill's capabilities are consistent with its stated purpose (WeChat article generation and upload). I found no explicit malicious code or hardcoded secrets in the documentation. The main concerns are operational: sensitive credentials stored in a project .env in the repo root, lack of pinned dependencies/installation provenance, and unspecified handling of external AI/image provider credentials and endpoints. These create a moderate supply-chai