aws-wechat-article-publish

The described workflow enables automated publication to WeChat using credentials stored in the repo. While not showing malicious code, the design introduces substantial supply-chain and operational risks due to hard-coded credentials in aws.env, configurable endpoints, and CLI-based publishing without explicit access controls or rotation. Mitigation should prioritize secret management, least-privilege per slot, strict access controls for publish actions, secure logging practices, and credential rotation/audit processes.

SUSPICIOUS. The core capability matches the stated purpose of publishing WeChat articles, and the required credentials/files are mostly proportionate. The main concerns are (1) optional routing through a custom API base that could intercept APPID/APPSECRET and article content, (2) encouragement to install a broader multi-skill suite, and (3) autonomous public publishing capability with real-world consequences. If constrained to official api.weixin.qq.com and used with explicit user approval, the skill appears coherent rather than malicious.