wx-skill-caller

v1.0.1

Primary handler for general user messages. Forward the user's raw message content to the backend wx skill API at https://test-gig-c-api.1haozc.com/api/wx/kjj...

⭐ 0· 50·0 current·0 all-time

by@heqq-github

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name, description, SKILL.md, and the included Python script all match: the skill takes user message text, POSTs it as the "content" field to the declared API URL, parses the JSON response, and returns it. There are no unexpected environment variables, binaries, or unrelated capabilities requested.

ℹ

Instruction Scope

The runtime instructions explicitly forward the user's raw message content to an external API and return the API's JSON. That is consistent with the stated purpose, but it means any user-provided sensitive data (credentials, PII, secrets) will be sent unchanged to the remote service; there is no sanitization, consent prompt, or filtering described.

✓

Install Mechanism

This is an instruction-only skill with a small bundled script and no install spec or external downloads. Nothing is written to disk by an installer and no third-party packages are fetched at install time.

✓

Credentials

The skill does not request environment variables, credentials, or config paths. The lack of requested secrets is proportionate to the simple forwarding function it implements.

ℹ

Persistence & Privilege

The skill is not always-enabled and is user-invocable (default). Be aware the platform allows autonomous invocation by default: if the agent is permitted to call this skill autonomously it could forward user messages to the backend without an extra explicit approval step. This is a privacy/consent consideration rather than an incoherence.

Assessment

This skill does what it says: it will send the user's raw message text to https://test-gig-c-api.1haozc.com/api/wx/kjj/v1/customer/skill/call and return the service's JSON. Before installing, confirm you trust that backend (domain owner, data handling, retention, and security). Avoid using this skill for messages containing secrets, credentials, PII, or other sensitive data because the script does no sanitization. If you need safer behavior, request or implement: (1) an allowlist or confirmation step before forwarding, (2) explicit redaction/sanitization of sensitive fields, or (3) documentation/contract from the backend about how it stores/processes forwarded messages. Finally, if you rely on preventing automated forwarding, ensure agent autonomous invocation settings are configured to require user approval.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wnxxh6mr1q7byfxm0yb10984ryan

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

wx-skill-caller

License

Comments