企业微信 AI Bot 对接
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Enterprise WeChat setup skill, but users should notice that it stores a bot secret, changes OpenClaw gateway configuration, and defaults direct-message access to open.
Before installing, confirm you trust the Enterprise WeChat plugin source, protect the Bot Secret and OpenClaw config file, and consider changing `dmPolicy` from `open` to `allowlist` or `pairing` for production use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the OpenClaw config file may be able to recover the bot secret and connect as or reconfigure the bot.
The setup script collects the Enterprise WeChat Bot Secret and writes it into the OpenClaw channel configuration, which is expected for this integration but is still sensitive credential handling.
secret = input("请输入企业微信 Secret: ").strip() ... 'secret': secretProtect the OpenClaw config file, avoid sharing it, rotate the bot secret if exposed, and prefer interactive entry over passing the secret on the command line.
More people than intended may be able to interact with the OpenClaw assistant through Enterprise WeChat.
The skill documents 'open' as the recommended direct-message policy, allowing all users to message the bot unless the user chooses a stricter mode.
`open` | 所有用户可以直接发消息(推荐)
Use `pairing` or `allowlist` for production or sensitive workspaces, and configure an explicit allowlist before exposing the bot broadly.
Installing or forcing replacement of a plugin can change gateway behavior beyond this small setup script.
The documentation includes a command to install an external OpenClaw plugin with --force, which is purpose-aligned but depends on external package provenance and may replace an existing plugin.
openclaw plugins install @wecom/wecom-openclaw-plugin --force
Verify the plugin source, avoid `--force` unless troubleshooting requires it, and pin or review the plugin version where possible.