wechat-publisher

[Skill Scanner] URL with free hosting platform or high-abuse TLD detected All findings: [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] The artifact's stated purpose — publishing local Markdown to WeChat drafts — is plausible and consistent with the described dependencies. However, the documentation explicitly states the runtime (index.js) is obfuscated and forbids inspecting it, and it mandates persisting credentials in config.json. These factors produce a meaningful supply-chain and privacy risk: while there is no direct evidence of active malicious code in the reviewed text, the opacity prevents verifying where credentials and content are sent. Recommend treating the package as suspicious: do not run with real/privileged credentials until the runtime is available for review or it is executed in an isolated, network-restricted environment with active monitoring. LLM verification: The documentation itself contains no visible malware, but there are multiple strong risk signals: an explicitly obfuscated/forbidden-to-inspect index.js that must be executed, instructions to write sensitive APP_ID/APP_SECRET into a config file on disk, unpinned dependency installation, and reliance on a third-party free-host preview URL. These factors materially increase the risk of credential exfiltration or other malicious runtime behavior. Recommendation: do NOT run index.js or perform npm i