Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
webhook-notify
v1.0.0通用Webhook通知工具,支持钉钉、企业微信、Slack、飞书等多种平台的webhook消息发送,以及自定义HTTP POST请求。适用于告警通知、自动化触发、系统监控等场景。
⭐ 1· 150·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (send webhooks to DingTalk/WeCom/Feishu/Slack/custom) matches the SKILL.md content. However, package metadata lists PowerShell-based files (webhook-functions.ps1, examples.ps1) and install hooks, while the actual manifest (files present) does not include those script files. Additionally, registry-level required-bins lists 'curl' yet package.json declares 'powershell' as the executable requirement — these mismatches are disproportionate to the simple purpose and suggest packaging errors or omissions.
Instruction Scope
SKILL.md only instructs sending HTTP webhook requests and configuring environment variables; that is within the declared purpose. It does recommend dot-sourcing webhook-functions.ps1 and optionally adding that to the user's PowerShell profile ($PROFILE), which modifies user shell config—reasonable for convenience but higher-impact, and should only be done after inspecting the script content. The instructions also allow arbitrary URLs and BasicAuth credentials (expected for custom webhooks) — this means the skill can transmit any data you pass it to external endpoints.
Install Mechanism
There is no install spec in the registry (instruction-only), which is low risk by itself. But package.json declares install hooks (.\install.ps1 and uninstall.ps1) that are not present in the file manifest. The absence of expected script files (webhook-functions.ps1, examples.ps1, install.ps1) is an inconsistency that could be an honest packaging mistake — or it could be an attempt to deliver the actual code by a different, potentially unsafe channel. This mismatch increases risk until resolved.
Credentials
The skill does not require any secrets by registry policy. SKILL.md and package.json suggest optional environment variables for webhook URLs (DINGTALK_WEBHOOK, WECOM_WEBHOOK, etc.), which are appropriate for the stated function. The custom-request features accept Username/Password for BasicAuth and arbitrary headers — expected for a webhook tool, but be cautious not to expose sensitive credentials to untrusted code or endpoints.
Persistence & Privilege
The skill is not marked 'always' and allows normal autonomous invocation. It suggests adding its functions to the PowerShell profile for persistent availability (a user-level change) — a convenience but a persistence action that should only be performed after reviewing the code. package.json references install hooks (absent) which, if present, could perform system changes; their absence should be clarified.
What to consider before installing
Do not dot-source or add any scripts to your PowerShell profile until you can inspect them. Before installing/using: 1) Ask the publisher for the missing files (webhook-functions.ps1, examples.ps1, install.ps1) or get the code from the official repository URL; verify the repository/homepage actually hosts the same code. 2) Inspect webhook-functions.ps1 for any unexpected behavior (remote downloads, credential exfiltration, writing to system files, or network calls to unknown domains) before running it. 3) Prefer setting webhook URLs as session-only env vars (not system-wide) and avoid storing sensitive credentials in plaintext env vars. 4) If an installer script is provided, review it thoroughly rather than running it blindly. 5) If you can't obtain and review the actual scripts, treat this package as untrusted—the manifest inconsistencies mean the package may be incomplete or tampered with.Like a lobster shell, security has layers — review code before you run it.
dingtalkvk975bbdxxv8sy48r3c3ck6yvb9836trgfeishuvk975bbdxxv8sy48r3c3ck6yvb9836trglatestvk975bbdxxv8sy48r3c3ck6yvb9836trgnotificationvk975bbdxxv8sy48r3c3ck6yvb9836trgslackvk975bbdxxv8sy48r3c3ck6yvb9836trgwebhookvk975bbdxxv8sy48r3c3ck6yvb9836trgwecomvk975bbdxxv8sy48r3c3ck6yvb9836trg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔔 Clawdis
OSLinux · macOS · Windows
Any bincurl