push-server-py
PassAudited by ClawScan on May 1, 2026.
Overview
This skill does what it claims—send WeCom notifications through a configured push service—but users should treat its API key, target recipients, and message contents carefully.
Install this only if you want the agent to send WeCom notifications. Configure a trusted push URL, use the narrowest API key available, and review recipient lists and message contents before sending sensitive or broad notifications.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can send notifications to WeCom users using the configured service.
The skill is designed to send notifications to user-specified recipients. This is expected for the stated purpose, but it is a side-effecting action that could message the wrong people if invoked with bad input.
`toUser` ... `Target user(s), pipe-separated` ... `python3 {baseDir}/notify.py '<JSON>'`Review intended recipients and message content before using the skill for important or broad notifications.
Anyone or any agent allowed to invoke this skill can use the configured push-service credential to send notifications.
The script uses the configured API key as an authentication header for the push service. This is clearly disclosed and necessary for the integration, but it delegates send authority to the skill.
`api_key = os.getenv("QYWX_PUSH_API_KEY")` ... `req.add_header("X-API-Key", api_key)`Use a least-privilege API key if supported, restrict who can invoke the skill, and rotate the key if it may have been exposed.
Notification text and links are shared with the configured push server and then delivered to WeCom recipients.
The notification payload is sent to the configured push-service endpoint. This is disclosed and purpose-aligned, but message content, URLs, and article metadata leave the local environment.
`url = push_url.rstrip("/") + "/api/v2/openapi/messages/send"` ... `data = json.dumps(request_body).encode("utf-8")` ... `urllib.request.urlopen(req, timeout=10)`Configure only a trusted push URL, prefer HTTPS, and avoid putting secrets or highly sensitive data in notification content.
Users have less provenance information for deciding whether to trust the publisher or future updates.
The artifacts provide the full script and no install-time dependency, but the registry metadata does not identify a source repository or homepage for the skill itself.
Source: unknown; Homepage: none
Verify the publisher and review the included code before installing updates, especially because the skill uses an API key.