ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wechat Connect

v2.1.0

Install OpenClaw's official WeChat plugin and complete account pairing via QR code scan. Triggers when the user says "install WeChat plugin", "connect WeChat...

17· 4k·16 current·19 all-time
bymanifold@manifoldor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match what the skill does: check plugin install, run an installer (npx), fetch a WeChat QR, host a local page, poll status, and persist account info and OpenClaw config. The requested capabilities and filesystem/config changes align with pairing a chat plugin.
!
Instruction Scope
Runtime instructions and script actions stay within the pairing use case but include risky behaviors: (1) the local /status API sets 'Access-Control-Allow-Origin: *' and the status file is used to return full JSON — after confirmation that JSON includes bot_token and ilink_bot_id, this exposes sensitive tokens to any web origin that can reach localhost from the user's browser (a known local-host CSRF/remote page interaction risk). (2) The skill writes unencrypted tokens/account JSON into ~/.openclaw/openclaw-weixin/, and writes a status JSON to /tmp; both can be read by other local users/processes if file permissions are not restricted. (3) The SKILL.md instructs using npx to install a third-party CLI at runtime (not declared in package metadata). These behaviors expand the data surface beyond just displaying a QR code.
Install Mechanism
There is no registry install spec in metadata, but the instructions (and likely the script) call `npx -y @tencent-weixin/openclaw-weixin-cli@latest install`. That pulls and runs code from npm at runtime. This is a common pattern for plugin installs but is a moderate risk because arbitrary code from the npm package will execute on the machine; the skill itself does not vendor or pin the installer.
!
Credentials
The skill declares no required env vars, yet the plugin it installs is noted to access environment variables and network send capabilities (the SKILL.md includes an explicit warning). The skill also writes persistent tokens to the user's home config. Requesting no env vars in metadata while installing a plugin that accesses env/network is a mismatch the user should be aware of — installing the plugin grants it access to environment secrets and network.
Persistence & Privilege
The skill modifies OpenClaw config (enables the channel, sets dmPolicy and allowFrom) and writes account files under ~/.openclaw. That is consistent with enabling an integration but is persistent and will change the agent's behavior (and cause the gateway to restart). 'always' is not set, and autonomous invocation is default — nothing here is requesting platform‑level always‑on privilege, but the skill does alter configuration persistently.
What to consider before installing
This skill appears to perform the WeChat pairing flow it describes, but take these precautions before installing: - Review the third‑party installer package (@tencent-weixin/openclaw-weixin-cli) before running it. The skill calls npx at runtime which downloads and executes code from npm — verify the package source and contents. Pinning a known good version is safer than `@latest`. - Understand that the plugin (per SKILL.md) may read environment variables and transmit data over the network. If you have any secrets in your environment, treat this as granting the plugin the ability to access them. - The script saves tokens/account JSON in ~/.openclaw/openclaw-weixin and writes a status JSON under /tmp. These files are stored unencrypted; on multi‑user systems or shared machines other users/processes may be able to read them. Consider restricting file permissions or using a dedicated, isolated environment. - The local web service exposes a /status endpoint with Access-Control-Allow-Origin: *. After login the status JSON includes bot_token and other IDs — this combination can let a malicious web page running in your browser read the token by making requests to http://localhost:8765. Only run this on a machine/browser you trust; remove or harden the CORS policy in the script if you control the installation. - If you decide to proceed, prefer to: (a) inspect the start.mjs and the npm install package, (b) run the installation in an isolated environment (container or VM), or (c) temporarily remove sensitive env vars or stop other untrusted local services during pairing. Given these factors the skill is coherent with its stated purpose but has material risks (runtime package install, local token persistence, and an overly permissive local API) that you should mitigate before use.
scripts/start.mjs:59
Shell command execution detected (child_process).
!
scripts/start.mjs:9
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b4hwcwne2zhgatq2rv2fhx83pw7wwechatvk975zdm5xje8hgf23mx6w6eqt580e4m7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments