post-to-wechat

The skill is largely aligned with its stated purpose: publishing to WeChat via official API or browser automation. Main risks come from public posting capability, local handling of raw API credentials, Bun install hygiene, and transitive trust in a separate markdown-to-html skill. No strong signs of malware or deceptive exfiltration are present, but the skill should be treated as medium-high risk because it can perform real-world publishing actions and store credentials locally.