post-to-wechat

SUSPICIOUS. The skill is mostly aligned with its stated WeChat publishing purpose, and the provided evidence suggests the app domain and GitHub repo are same-operator. However, it sends article content through a third-party rendering site and grants the agent browser-level control over a logged-in WeChat publishing session, enabling real-world posting actions. This is not confirmed malware, but it carries meaningful security and account-integrity risk due to intermediary data flow and autonomous backend automation.