qywx-msg-sender
v1.0.1通过企业微信群机器人 Webhook 发送消息通知。支持文本、Markdown、Markdown V2(表格)、图片、文件消息。 支持发送到指定会话(chatid)或通过名称发送(需先注册 webhook URL)。 适用场景:服务告警、定时任务结果推送、数据报告发送、任何需要通知企业微信群的情况。
⭐ 0· 101·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (WeCom group webhook sender) matches the implementation: bash scripts to send text, markdown, images, files, and manage a local registry of named webhooks. Declared runtime dependencies (curl, jq) are appropriate and used by the scripts.
Instruction Scope
SKILL.md and the scripts confine actions to expected behavior: parsing args, reading/writing a local registry (~/.wecom/chat_registry.json by default), reading user-provided files (images/files/messages), and posting to the WeCom webhook endpoints. The scripts do not access unrelated system credentials or external endpoints beyond the WeCom API and the user-supplied webhook URLs.
Install Mechanism
No install spec is provided — this is instruction + script bundle. No external downloads or archive extraction occur. Scripts are plain shell; risk is limited to running those scripts locally.
Credentials
The skill does not require unrelated credentials. It optionally uses WECOM_WEBHOOK_URL, WECOM_CHATID and WECOM_REGISTRY_FILE which are proportional. Important: registered webhook URLs (which include the secret 'key' query parameter) are stored in plaintext in the registry file (~/.wecom/chat_registry.json by default), so the registry effectively holds secrets that should be protected.
Persistence & Privilege
The scripts persist a registry file under the user's home directory and modify it (register/unregister). always:false and autonomous invocation defaults are unchanged. The skill does not request system-wide changes or modify other skills' configurations.
Assessment
This skill appears coherent and does what it says: send messages to Enterprise WeChat group bots. Before installing or running: (1) confirm you trust the webhook URLs you register — the URLs contain keys that allow posting to your groups; (2) protect the registry file (~/.wecom/chat_registry.json) with appropriate filesystem permissions because it stores webhook URLs in plaintext; (3) be aware that sending a file/image will upload its contents to WeCom (the upload endpoint is qyapi.weixin.qq.com); (4) review the scripts yourself if you run them in sensitive environments (they are simple shell scripts but will read any file path you pass); (5) ensure curl and jq come from trusted system packages. If you need stronger secrecy for webhook keys, avoid storing them in the registry or store them encrypted and modify the scripts accordingly.Like a lobster shell, security has layers — review code before you run it.
latestvk9786z7g7c8xy3hj77t0z9vxn5837kgq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.