Wechat Control
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent with its WeChat-control purpose, but it can reuse a cached WeChat login to read account data and send messages without a built-in confirmation step.
Use this only on a trusted local machine if you are comfortable letting the agent act through your WeChat account. Confirm recipients and message text manually, clear `loginInfo.pkl` when finished, avoid syncing the cache, and review or modify the code before allowing chat/contact listing or automated message sending.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or mistaken command could send a message as the user, potentially to the wrong WeChat contact, without another review step.
The send path selects the first matching friend and sends the message directly; the artifacts do not show a confirmation prompt, recipient disambiguation step, allowlist, or approval gate before using the user's WeChat account.
friends = itchat.search_friends(name=to) ... uid = friends[0]['UserName'] itchat.send_msg(text, toUserName=uid)
Add an explicit per-send confirmation showing recipient and message text, require exact recipient identifiers or disambiguation, and consider an allowlist or dry-run mode.
Anyone or any agent process that can invoke the skill on that machine may be able to reuse the cached WeChat session to read account data or send messages.
The skill discloses that it persists a reusable login cache, which functions like a session credential and allows later launches to act as the WeChat user without rescanning.
之后会保存登录状态(`itchat` 自动缓存 `loginInfo.pkl`),后续启动时会直接登录。
Declare the session cache as credential-like state, provide clear logout/cache-clearing instructions, store it in a scoped protected path, and require user approval before actions that use the cached session.
Private contact or group information may be pulled into the agent context unexpectedly, and users may misinterpret profile signatures as recent messages.
The documented feature says it lists recent chats, but the implementation updates chatrooms and fetches friends, then outputs friend profile signature data as `last_msg`; this is broader and less clear than the stated data scope.
recent = itchat.get_chatrooms(update=True) # placeholder; actual API may differ
friends = itchat.get_friends(update=True)[:limit]
...
'last_msg': f.get('Signature')Limit retrieval to the documented recent-chat fields, remove unused broad chatroom fetching, document exactly what account data is read, and ask before returning chat/contact data to the agent.