v1.2.0

weixin-send

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:18 AM.

Analysis

This is a coherent WeChat messaging fallback, but it bypasses normal OpenClaw messaging controls and uses local WeChat bot tokens to send outbound messages, so it needs careful review before installation.

GuidanceInstall this only if you specifically need a fallback for proactive WeChat text pushes when the normal OpenClaw message tool is unavailable. Prefer the native message tool, confirm recipients and message text before sending, verify the local openclaw-weixin account files and endpoint, and avoid persistent cron sends unless you explicitly want ongoing background messages.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

本 skill 通过直接调用微信 ilink API 绕过这一限制，实现**从任意 session/脚本主动向微信用户发消息**。
...
- 不经过 OpenClaw 通道框架，不触发 session 日志

The documented workflow intentionally bypasses the normal OpenClaw channel framework and session logging, allowing direct message sending from any session or script.

User impactMessages may be sent outside the usual OpenClaw messaging tool controls and audit trail.

RecommendationUse the native OpenClaw message tool when available; if using this fallback, restrict who can invoke it, confirm the recipient and message text, and keep an external audit trail.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

"schedule": { "kind": "cron", "expr": "0 9 * * *", "tz": "Asia/Shanghai" },
...
"运行命令发送提醒：python3 ~/.openclaw/workspace/skills/weixin-send/send.py send ..."

The documentation shows how to configure scheduled background sends. This is user-directed and aligned with the skill purpose, but it creates ongoing outbound messaging if the user installs such a schedule.

User impactScheduled reminders or background jobs could continue sending WeChat messages until removed.

RecommendationReview any cron or scheduled agent-turn configuration using this skill and remove schedules that are no longer wanted.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

send.py

ACCOUNTS_DIR = Path.home() / ".openclaw" / "openclaw-weixin" / "accounts"
...
token = acct["token"]
...
"Authorization": f"Bearer {token}"

The script loads a local WeChat bot account token and uses it as a bearer credential to send messages, even though the registry metadata declares no primary credential or required config path.

User impactAn agent that invokes this skill can use the locally logged-in WeChat bot account to send messages as that bot.

RecommendationOnly install if you intend agents to use the local openclaw-weixin bot token; prefer declaring and reviewing this credential access, and require explicit user approval or target scoping before sends.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

send.py

base_url = acct.get("baseUrl", "https://ilinkai.weixin.qq.com")
...
url = f"{base_url.rstrip('/')}/ilink/bot/sendmessage"

The message body, target user ID, context token, and bearer token are sent to the configured provider endpoint, defaulting to WeChat's ilink API. This is expected for the skill, but users should understand the data boundary.

User impactMessage contents and routing identifiers leave the local environment and are sent to the configured WeChat API endpoint.

RecommendationVerify the openclaw-weixin account configuration, especially baseUrl, and avoid sending sensitive content unless this provider flow is acceptable.