Wechat Mcp
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent calls this tool at the wrong time, it could send a message to the wrong WeChat chat or send content the user did not explicitly approve.
The MCP send tool only needs message text and then performs the actual send by pressing Enter in the active/current chat window, with no built-in recipient validation or confirmation step.
"required": ["message"] ... success, err = send_message_to_current(message) ... pyautogui.press('enter')Require explicit user approval before every send, show the detected recipient and exact message, add recipient allowlisting or validation, and avoid autonomous invocation for this tool.
The agent effectively receives delegated ability to send WeChat messages from the user's account through the desktop session.
The code uses the already-authenticated WeChat desktop app to send messages as the user, but it does not scope that authority to a named contact or require a human confirmation.
wins = gw.getWindowsWithTitle("微信") ... pyperclip.copy(message) ... pyautogui.hotkey('ctrl', 'v') ... pyautogui.press('enter')Clearly disclose that the active WeChat login will be used, require per-message confirmation, and limit sending to user-approved contacts or conversations.
A user may believe the skill will target a named contact, while the implemented behavior may send to whichever chat window is currently active.
The documentation describes sending to a specified contact through a search/open/send flow, but the provided server implementation exposes only a current-chat send tool and does not define send_message_to_contact.
给指定联系人发送消息(完整流程:搜索->打开聊天->发送)
send_message_to_contact("联系人名称", "消息内容")Align the documentation with the implementation, or implement and verify the contact-selection flow before sending.
Private WeChat conversation content may remain on disk after using the skill and could be exposed through backups, file sharing, or later local access.
The send workflow saves screenshots of the WeChat window, input area, and result to persistent local files, which may contain private chat content and the sent message.
img.save(str(Path(__file__).parent / "verify.png")) ... input_img.save(str(Path(__file__).parent / "input_verify.png")) ... img.save(str(Path(__file__).parent / "result.png"))
Make screenshots opt-in, document exactly where they are stored, use temporary files where possible, and provide cleanup or redaction controls.
Users may install different future package versions than the author tested.
The skill depends on multiple PyPI packages using lower-bound version constraints rather than a locked set of exact versions; these dependencies are expected for GUI automation but still affect install provenance.
pyautogui>=0.9.54 pygetwindow>=0.0.9 pytesseract>=0.3.13 Pillow>=12.1.0 pyperclip>=1.11.0 opencv-python>=4.13.0
Pin exact dependency versions or provide a lockfile and a clear installation specification.