Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wechat-skill
v1.0.1Windows 电脑端微信消息发送 MCP,实现在微信上给指定联系人发送消息
⭐ 0· 314·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (WeChat message sending on Windows) align with the included Python code and SKILL.md. Requiring python and the listed pyautogui-related packages is proportional to GUI automation of WeChat. No unrelated credentials, binaries, or cloud services are requested.
Instruction Scope
SKILL.md instructs the agent to invoke the bundled Python script to control the WeChat GUI. The script captures window screenshots, activates windows, manipulates the clipboard, and sends keystrokes/mouse clicks — all within the stated purpose. These instructions do not attempt to read unrelated system files or environment variables, but they do perform broad desktop interactions (focus changes, global keystrokes) that can affect other applications.
Install Mechanism
There is no registry install spec; SKILL.md tells the user to pip install standard PyPI packages (pyautogui, opencv, etc.). Using PyPI packages is typical for this task; it is moderate-risk compared with a direct remote download but expected for a Python GUI tool. Users should review and install dependencies themselves rather than blindly running install commands.
Credentials
The skill requests no environment credentials (proportional). However, it writes screenshots to the skill directory (verify.png, search_result.png, input_verify.png, opened_chat.png, result.png) and overwrites the clipboard when pasting messages. These behaviors can leak or persist sensitive chat content locally and can overwrite user clipboard data unexpectedly.
Persistence & Privilege
No elevated privileges or always:true flag are requested. The skill runs only when invoked and does not modify other skills or system-wide configs. It does require an interactive desktop session (access to the user's GUI) and will act as the logged-in user, so it must run in the user's session context.
Assessment
This skill appears to do exactly what it claims: control the WeChat desktop window to send messages via GUI automation. Before installing or running it, consider the following: (1) it takes and saves screenshots of your WeChat window to the skill folder — these may contain sensitive messages; (2) it copies message text to your clipboard (overwriting whatever was there); (3) it sends global keystrokes and mouse clicks and can accidentally send input to the wrong window if focus is lost; (4) dependencies are installed from PyPI — review them and install manually if you prefer; (5) the SKILL.md uses a user-specific path example (C:\Users\toby\...) — adjust to your environment. If you accept those privacy/usability trade-offs, prefer to review the script yourself and run it in a controlled session (no other important apps focused) and remove saved screenshots afterward.Like a lobster shell, security has layers — review code before you run it.
latestvk97364gd8wm37w1detg5t622h582vk5x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSWindows
Binspython