Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeCom Task Manager
v1.2.2Manage, track, and update enterprise WeCom tasks and goals with creation, progress, status reports, filtering, and dependency handling for authorized agents.
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and documentation implement a WeCom (企业微信) smart-sheet driven task manager and call a 'mcporter' tool (wecom-doc.* operations). That matches the stated purpose. However the skill metadata/registry declared no required binaries or env vars while the code hardcodes a local mcporter binary path (/usr/local/Cellar/node/25.6.0/bin/mcporter) and expects mcporter to exist; this is an inconsistency (the skill will fail or behave unexpectedly if mcporter is absent or placed elsewhere).
Instruction Scope
SKILL.md and the scripts instruct the agent to switch the working directory to ~/.openclaw/workspace and to call mcporter to read/update enterprise WeCom tables. The code reads local config.json and workspace files and relies on AGENT_ID from the environment if not passed in. This is within the task-manager scope but it also gives the skill access to the user's workspace and configuration files which are outside a minimal 'task API' surface — worth noting. Crucially, run_mcporter constructs a shell command with user-controlled JSON args and calls subprocess.run(..., shell=True) — this is a command-injection risk if input fields contain single quotes or crafted payloads.
Install Mechanism
There is no install spec (instruction-only), but full Python code and package.json are included. package.json and _meta.json mention a dependency on 'mcporter' while the registry's declared required binaries list is empty — inconsistent. The skill will implicitly require a functioning mcporter and appropriate MCP config in the user's workspace; that requirement is not surfaced in registry metadata.
Credentials
The skill declares no required env vars but the code reads AGENT_ID from the environment if agent_id is not supplied. config.json (copied from template) contains enterpriseWeChat.docId and sheetId which are sensitive configuration values needed to access the organization's smart sheet; these are not flagged as secrets in the registry. The code's reliance on mcporter and workspace MCP configuration means credentials for WeCom access will likely live in workspace configuration (outside the skill) — the skill requests effective access to those credentials implicitly without declaring them.
Persistence & Privilege
_meta.json and SKILL.md mark the skill as global and autoLoad=true (a global skill auto-loaded by the agent framework). While 'always' is false, autoLoad/global status means the skill will be present broadly. Combined with changing the current working directory to ~/.openclaw/workspace and using subprocesses, this broader presence increases the blast radius if the unsafe subprocess usage or misconfiguration is exploited.
What to consider before installing
This skill appears to implement what it claims (WeCom smart-sheet task management) but has implementation and metadata inconsistencies and at least one concrete security weakness:
- Inconsistency: The code requires mcporter (hardcoded path) and workspace MCP configuration, but the registry metadata lists no required binaries or credentials. Ask the publisher to declare mcporter as a required binary and to document where credentials are stored.
- Command injection risk: run_mcporter builds a shell command containing JSON args and calls subprocess.run(..., shell=True). If any task fields (titles, descriptions, output_url, etc.) come from untrusted sources, they could be crafted to break out of the JSON quoting and execute arbitrary shell commands. Before installing, request a fix to run mcporter using a safe argument list (avoid shell=True and pass args as a list) or to properly escape inputs.
- Workspace access & secrets: The skill changes cwd to ~/.openclaw/workspace and will rely on MCP configuration there; ensure sensitive credentials (WeCom API tokens/config) are stored securely and that you trust the skill's author. The config.json may contain docId/sheetId and potentially other secrets in your environment; don't install in environments with sensitive data until you confirm where credentials live.
- Auto-load/global: Because autoLoad/global is true, the skill will be loaded widely; only install if you trust the author or run it in an isolated environment first.
Actionable steps before using:
1) Ask the publisher for the authoritative source repository and for the declared runtime dependencies (mcporter path/version) and credential requirements.
2) Run the skill in an isolated test environment (no production secrets) and inspect mcporter calls to verify no unexpected side effects.
3) Patch run_mcporter to call subprocess.run with a list of args (no shell=True) or use a proper client API to avoid shell injection.
4) Ensure config.json does not contain secrets you wouldn't want the skill to access, and confirm where WeCom credentials are stored and who can read them.
If you cannot verify the author or cannot fix the subprocess usage, treat the skill as high-risk and do not install it in production systems.Like a lobster shell, security has layers — review code before you run it.
latestvk9713b1shfg97s2wdzxk7kzs6983pfhf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.