md2wechat Is Now on ClawHub: What to Check Before Installing It in OpenClaw

md2wechat now has a public ClawHub page:

• ClawHub: geekjourneyx/md2wechat

If you already work inside OpenClaw, that is useful for a simple reason: the install entry, the scan result, and the public SKILL.md are all in one place.

When I open a page like this, I usually check three things first:

1. what the summary claims the skill can do
2. what the scan result currently says
3. what the public SKILL.md actually exposes

For md2wechat, those three sections are enough for a first review.

First check whether the scope matches what you need

As of March 19, 2026, the public page already makes several things visible:

• the skill name is md2wechat
• it is positioned as a Markdown-to-WeChat HTML tool
• it supports both API mode and AI mode
• the summary also mentions writer assistance, AI trace removal, and image-post support

From the public SKILL.md, this is clearly more than a single formatter command. The exposed workflow includes:

• convert
• upload_image
• download_and_upload
• generate_image
• humanize
• write
• create_image_post

If you only want a Markdown-in, HTML-out tool, this already goes beyond that. It reads more like a command bundle for writing, image handling, and WeChat publishing.

Check the runtime boundaries before you install it

Also as of March 19, 2026, the ClawHub page shows two scan results:

• VirusTotal: Benign
• OpenClaw security scan: Suspicious, with medium confidence

I would not ignore that, but I also would not flatten it into "malicious." A better reading is that the runtime behavior is more complex than an instruction-only text skill.

The public scan notes point to three concrete things.

1. The metadata does not fully declare the WeChat-side environment needs

The page lists IMAGE_API_KEY as the primary environment variable, but the exposed SKILL.md and commands also rely on:

• WECHAT_APPID
• WECHAT_SECRET

That changes the install review in a practical way:

• the visible metadata is not the full config picture
• draft creation and upload behavior depend on credentials that are clearer in SKILL.md than in the registry metadata

2. The runtime downloads and executes a prebuilt binary

The page explicitly notes that scripts/run.sh downloads a prebuilt binary from GitHub Releases and stores it under:

~/.cache/md2wechat

That does not automatically make the skill unsafe, but it is a real boundary:

• there is a runtime download step
• this is not an instruction-only skill
• you should decide whether you accept that install model before using it in a main environment

3. The skill reads local content and talks to external services

From the public page and SKILL.md, the workflow can include:

• reading local Markdown
• reading or downloading images
• uploading images to WeChat
• calling external image-generation APIs
• calling WeChat APIs for draft or image-post creation

So the real review question is not "Is this just text?" It is:

• are you okay with local files being read
• are you okay with content being sent to external services
• are you okay with WeChat credentials being part of the workflow

Those are the actual boundaries to review before using it on a real account.

That is why the listing is useful

Before this, the same review usually meant digging through the repo and helper scripts. Now the first-pass check is public and concentrated.

You can now inspect:

• the summary
• runtime requirements
• scan results
• SKILL.md
• the file list

That is better than installing first and discovering the runtime behavior later.

If I were installing it myself, I would do it in this order

Step 1: read the ClawHub page before you install

Start here:

• ClawHub: geekjourneyx/md2wechat

Check four things first:

1. whether the summary matches the capability you want
2. what the current scan result says
3. whether the public SKILL.md matches your expected workflow
4. whether the runtime requirements and external interactions fit your environment

Skipping this step is how people get surprised later by runtime downloads or missing credentials.

Step 2: separate installation from configuration

This matters even more in OpenClaw than in a simple CLI setup.

Installation only makes the runtime see the skill. Configuration is what makes the workflow usable.

From the public page, the config requirements clearly split into two buckets.

Base image-related features

• IMAGE_API_KEY, if you want image generation

WeChat publishing features

• WECHAT_APPID
• WECHAT_SECRET

If I only wanted to validate Markdown-to-HTML conversion, I would not front-load the full advanced setup.

Step 3: test the shortest path first

The exposed SKILL.md shows a fairly large command surface. I would not start from the most complex path.

For a first check, I would start from the shortest possible command:

bash skills/md2wechat/scripts/run.sh convert article.md --mode api

If that works, then I would move into image handling, humanize, and only later drafts.

A safer progression is:

1. validate convert
2. validate image upload
3. validate humanize or write
4. only then move into draft or create_image_post

That order matters for a practical reason:

• dependencies grow at each step
• image generation, uploads, and draft creation all add new failure surfaces
• the full chain is harder to debug if you start there

Step 4: decide whether ClawHub is actually your main entrypoint

The new ClawHub listing is a strong public entry for OpenClaw users, but it does not replace every other install path.

If you are:

mainly an OpenClaw user

the ClawHub page is now the cleanest public starting point

mainly using shell scripts and local commands

you may still prefer:

• md2wechat-lite

mainly using Claude Code or another plugin-driven workflow

you may still prefer:

• the original md2wechat-skill distribution path

So the value of the ClawHub page is not "one entrypoint for everyone." It is a better public review surface for OpenClaw users.

Two things I would still flag

1. Do not ignore the scan warning

Suspicious does not mean "do not touch this." It does mean "read before you install."

At minimum, confirm that you accept:

• runtime binary download
• local file reads and external API calls
• the use of WeChat credentials for publishing actions

2. Do not treat the page as the whole ops manual

The page is a strong entrypoint. It is still not a complete operations guide.

A more realistic approach is:

• use the ClawHub page for discovery and first review
• use the exposed SKILL.md to inspect commands and workflow boundaries
• then validate the smallest path in your own environment

How I would use this page

If I were adding this skill to OpenClaw, I would keep the order simple:

1. read the ClawHub page
2. read the public SKILL.md
3. test the shortest command path first
4. only then move into the full publishing chain

The practical benefit is simple: problems show up earlier, and the failure surface stays smaller while you are still validating the setup.

If you want to keep going, continue with:

• How to Install md2wechat-skill in OpenClaw
• Stop Rewriting from Scratch: Install the Humanizer Skill in OpenClaw