wechat-article-publisher

The documented skill provides plausible, documented behavior to publish articles by sending parsed content and images to a third‑party gateway (wx.limyai.com) using an API key. From the provided artifacts (README/usage docs) there is no direct evidence of intentional malware, obfuscation, or backdoors. However, there is a significant supply‑chain and privacy risk because the tool routes article content, local images, and authentication credentials through a non‑official external service. Because the actual scripts were not present for review, confirmatory code review is required to rule out additional telemetry, hidden endpoints, insecure secret handling, or credential persistence. Recommendations: (1) obtain and audit the actual wechat_api.py and parse_markdown.py source before use; (2) prefer direct official WeChat API integration or a gateway you control; (3) avoid exposing WECHAT_API_KEY in shell history; (4) require explicit user consent before uploading local files; (5) review gateway privacy/retention policy.