Skillv1.0.0

ClawScan security

wechat-operate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 12:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (WeChat message/query) roughly matches its instructions, but there are unexplained inconsistencies (an undeclared env var, a hard-coded appid, and a non-public IP endpoint) that could allow unexpected network data flows — verify before installing.
Guidance: Before installing, confirm the following: (1) who operates the endpoint http://192.168.29.1:8080 and whether it is a trusted local service or an external relay; (2) why WECHAT_APPID is present in SKILL.md but not declared in the skill metadata (ask the author to declare required envs explicitly rather than embedding values); (3) whether network traffic is authenticated and encrypted (HTTPS/TLS) and where message data is stored/forwarded; (4) whether you are comfortable the agent will POST message contents (including files) to that host. If you do not control or trust the endpoint, avoid installing or only run the skill in an isolated/test environment. Ask the publisher for source code, official docs, and proof that this is an authorized integration with your WeChat account before granting the agent permission to send messages.

Review Dimensions

Purpose & Capability: noteThe skill claims to query contacts and send WeChat messages and the SKILL.md provides specific HTTP endpoints and parameters that implement that. However, the manifest declares no required environment variables while SKILL.md relies on WECHAT_APPID (and even includes a concrete appid value). That mismatch is incoherent: either the skill should declare the appid as a required/optional env or avoid embedding it.
Instruction Scope: concernRuntime instructions tell the agent to call HTTP endpoints (GET/POST) to query contacts and send text/image/file content. Those calls will transmit whatever content the agent handles to the endpoint. The documented endpoint is a private IP (http://192.168.29.1:8080) and not an official WeChat API domain; this could be a local bridge or an arbitrary host. The skill does include confirmation steps before sending, which is good, but the instructions still allow sending potentially sensitive content to an external endpoint under the skill's control.
Install Mechanism: okNo install spec and no code files (instruction-only). Nothing will be written to disk by the skill bundle itself, which limits supply-chain risk.
Credentials: concernThe SKILL.md references WECHAT_APPID (and provides a concrete example value) but the skill metadata lists no required environment variables or primary credential. This is inconsistent. The appid is not a secret credential by itself, but the skill will include it in network requests; the lack of declared env requirements reduces transparency about what the agent will send. Also, no authentication or TLS is described for the endpoint.
Persistence & Privilege: okThe skill is not always-enabled and does not request system config paths or other skills' credentials. Autonomous invocation is allowed by default, which is normal; there is no additional privileged persistence requested.