baoyu-post-to-wechat

The skill is internally consistent with its stated WeChat publishing purpose: it reads expected config, uses official WeChat endpoints, and requests proportionate credentials. The main risks are autonomous public posting, transitive trust in a separate markdown skill, and official-but-still-risky Bun download/execute patterns. Overall this looks suspicious only in the sense of operational risk, not malicious intent or credential exfiltration.