ClawHub

wechat-group-qa/

v1.0.0

从企业微信群提取学员提问,按课程阶段分类并生成表格。当用户在企业微信群里@机器人提问时,自动记录问题并整理。

0· 234·0 current·0 all-time
by@jackzhenguo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to extract @-mentions from enterprise WeChat group chats and persist them. However, the package declares no required environment variables, no credentials, no config paths, and no install or code — there is no described mechanism for accessing WeChat (API tokens, bot webhook, or platform integration). Either the platform must implicitly provide all chat data (not documented here) or the skill cannot perform its claimed function; this mismatch is unexplained.
!
Instruction Scope
SKILL.md instructs the agent to '读取群消息记录' and '自动记录' messages and save them to a local file (wechat-qa-records.md). It does not specify how message history is accessed, what time range is read (entire history vs only @ messages), or any privacy/consent rules. The file write behavior is explicit but there is no limitation on which messages are gathered, potentially allowing broad collection of chat history.
Install Mechanism
There is no install spec and no code files (instruction-only). This minimizes disk-writing install risk. The lack of an install mechanism contributes to the capability ambiguity described above but is not itself risky.
!
Credentials
The skill requests no credentials despite needing access to enterprise WeChat messages. A legitimate WeChat integration normally requires tokens/credentials or a documented bridge. The absence of declared auth raises the question of where messages come from and whether the agent would attempt to read system logs or other sources to obtain them.
Persistence & Privilege
always:false (normal) and autonomous invocation is allowed (disable-model-invocation:false), which is the platform default. The skill will write a local file (wechat-qa-records.md) when it runs; this is a modest persistence action but should be disclosed to users. There is no evidence it modifies other skills or global config.
What to consider before installing
This skill's purpose (collect @-mentions from enterprise WeChat and save them) is plausible, but the SKILL.md gives no technical details about how to access WeChat or obtain permissions. Before installing or enabling it, ask the author or provider: (1) how does the skill receive group messages — is there a documented integration (WeChat Work bot token, webhook, or platform-provided context)? (2) what exact messages are read (only explicit @ messages, or entire chat history), and what retention/ deletion policy applies to stored data? (3) where is wechat-qa-records.md written and who can read it? (4) request that any access require explicit, scoped credentials (bot token or OAuth) rather than silent implicit access. If you cannot get clear answers, avoid installing this skill or only enable it in a sandboxed environment where it cannot access sensitive logs or network resources.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3z4gbhnsxhwm58n6pjfgtn82pfcswechat group qa bot assistantvk97c3z4gbhnsxhwm58n6pjfgtn82pfcs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments