WeCom post in group
v1.0.1This skill should be used when users want to set up scheduled or recurring content push to WeChat Work group webhooks. It supports flexible scheduling includ...
⭐ 0· 175·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the provided assets: SKILL.md describes scheduled pushes and automation creation, and the included Python scripts implement webhook validation and message push. Nothing in the repository requests unrelated cloud credentials or external services beyond content generation (which is expected for summarized/report pushes).
Instruction Scope
Instructions stay within the stated purpose (parse webhook, determine schedule, generate content, test push, create automation). They explicitly allow reading a user-specified file containing a webhook key/URL and instruct embedding the webhook URL into automation prompts (expected for running the automation). Minor inconsistency: SKILL.md says to always mask webhook keys in user-facing output, but scripts/validate_webhook.py prints an unmasked WEBHOOK_URL line on success (this can leak the full webhook into logs).
Install Mechanism
No install spec; this is instruction + small Python scripts only (standard library usage). No external downloads or package installs are requested.
Credentials
The skill requests no environment variables or credentials beyond the webhook key/URL supplied by the user (which is appropriate). Be aware the automation prompt and created automation will include the webhook URL (a secret) and the validate script prints the full WEBHOOK_URL to stdout on success, which contradicts the SKILL.md masking guidance and could expose the webhook in logs or automation metadata.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes. It expects the platform automation system (via automation_update) to store the automation; that is expected for scheduled tasks. Autonomous invocation is allowed by default (platform behavior) but not unusually privileged here.
Assessment
This skill appears coherent for scheduling WeCom (企业微信) webhook pushes and includes modest, readable Python scripts that only send messages to the official webhook endpoint. Before installing:
- Treat the webhook URL/key as a secret: avoid using a webhook with broad permissions or posting to production channels during testing. The automation will store the webhook URL in its prompt/configuration.
- The validate script prints a WEBHOOK_URL line on success; consider editing it to avoid emitting the full URL (use only the masked form) to prevent leakage in logs or auditing trails.
- If you plan to have the automation fetch web pages or GitHub trending content, confirm the agent's network-access and content-generation steps don't require additional credentials you don't want stored in automation prompts.
- Test with a non-critical test group/webhook and rotate the webhook key if it is accidentally exposed.
Overall, nothing in the package demands unrelated credentials or performs hidden exfiltration, but be cautious about how and where you store the webhook URL in automation metadata and logs.Like a lobster shell, security has layers — review code before you run it.
latestvk97f1pchtaf9v1y9bkkhy0v7t983qj5p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.