Weixin OpenClaw Login
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Weixin login helper is mostly purpose-aligned, but it can expose a Weixin/OpenClaw login token in command output and local account files.
Install only if you are comfortable troubleshooting Weixin/OpenClaw login locally. Run the npm install deliberately, verify the package source, and do not share raw poll output or files under `~/.openclaw/openclaw-weixin/` unless `bot_token` values and other secrets are redacted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Weixin/OpenClaw login token could be exposed in terminal output, chat transcripts, logs, or copied troubleshooting data.
The script prints the entire login-status response even when it contains `bot_token`, which the skill describes as the successful Weixin/OpenClaw login token.
print(time.strftime('%H:%M:%S'), json.dumps(data, ensure_ascii=False)) ... if status in ('confirmed', 'expired') or data.get('bot_token'):Treat `bot_token` like a password. Redact it from output and logs, avoid pasting account JSON into chats, and prefer scripts that only report whether a token exists rather than printing the token itself.
Installing or updating the external package changes the local OpenClaw environment and depends on the current npm package contents.
The setup path runs an external npm CLI with automatic yes and no pinned version in the provided artifacts. This is central to the skill purpose, but users should recognize the supply-chain dependency.
`npx -y @tencent-weixin/openclaw-weixin-cli install`
Verify the package publisher and version before running the command; consider pinning a known-good version and running the install only after explicit user approval.