Wechat Connect
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform the advertised WeChat setup, but it automatically runs an unpinned installer and exposes pairing/status data through a broad local web service.
Install only if you trust this publisher and the Tencent WeChat package. Prefer a pinned installer version, run pairing on a trusted network, close the local server after setup, and verify the stored account/channel allowlist after pairing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised latest package could install different code than the user expected.
The skill automatically executes an unpinned @latest npm installer. That is aligned with the install purpose, but it gives remote package code high-impact installation authority without a pinned version.
未安装 → 自动执行安装 ... npx -y @tencent-weixin/openclaw-weixin-cli@latest install
Use a pinned package version and review the installer source/provenance before allowing automatic installation.
A malicious webpage or another reachable client could read pairing status data and potentially interfere with or observe the login flow.
The status endpoint returns the status file contents with CORS allowed for all origins, and the server is started without explicitly binding to localhost. The visible flow stores the QR code in that status file and later adds login identifiers/token fields to the status object.
writeStatus({ qrcode: data.qrcode ... }); ... 'Access-Control-Allow-Origin': '*' ... res.end(JSON.stringify(readStatus())); ... server.listen(HTTP_PORTBind the server to 127.0.0.1, remove wildcard CORS, and return only the minimal UI status fields needed by the page.
Temporary files on the machine could be exposed to clients that can reach the local server.
The HTTP server can read and serve arbitrary requested files under /tmp, not just the generated QR page and image.
const BASE_DIR = '/tmp'; ... let filePath = path.join(BASE_DIR, pathname === '/' ? 'weixin-qr-display.html' : pathname); ... const data = readFileSync(filePath);
Serve only an explicit allowlist of generated files, and avoid using a broad shared directory as the static web root.
After pairing, WeChat can become an active channel into the user's OpenClaw environment.
The skill persists WeChat account data and enables an OpenClaw WeChat channel. This is expected for pairing, but it is account-level delegated authority.
写入 ~/.openclaw/openclaw-weixin/accounts/{id}.json ... openclaw config set channels.openclaw-weixin.enabled=true ... allowFrom=[<userId>]Pair only the intended account, confirm the allowlist is correct, and know how to revoke or remove the stored account files if needed.
Users may dismiss a meaningful warning before trusting an external installer and account integration.
The skill tells users they can ignore a dangerous-code warning for the installed plugin, even though the plugin code is not included in the reviewed artifacts.
WARNING: Plugin openclaw-weixin contains dangerous code patterns ... 安装完成后警告可忽略
Do not ask users to ignore security warnings; explain the exact permissions and link to reviewed plugin source or a pinned release.