Wechat Automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its WeChat messaging purpose, but it can notify everyone by default and its shell test prints the webhook key.
Review the defaults before installing. If you use it, ensure messages only go to intended groups, remove or change the default @all behavior, do not share terminal output containing webhook URLs, and redact or rotate any exposed webhook key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A routine message could unexpectedly alert everyone in an Enterprise WeChat group.
For text messages, the code mentions everyone when no mention list is supplied, which is broader than the simple send examples disclose.
mentioned_list: mentioned_list.length > 0 ? mentioned_list : ['@all']
Change the default to no mentions, require an explicit @all option, and disclose or confirm group-wide notifications.
Anyone who sees terminal output, logs, or shared screenshots could copy the key and send messages through the bot.
The webhook key authorizes posting to the WeChat bot, and the test script prints it to the terminal as part of the URL.
WEBHOOK_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=${WEBHOOK_KEY}" ... echo "URL: $WEBHOOK_URL"Redact the key in logs and test output, avoid passing secrets where they may be recorded, and rotate any key that has been exposed.
Running this command gives a remote setup script elevated local privileges.
The optional setup guide runs a remote script with sudo privileges; it is disclosed and user-directed, but it relies on an external installer.
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
Verify the source before running it, prefer trusted package-manager installation where possible, and avoid privileged remote scripts unless necessary.