ClawHub
Back to skill
v2.1.0

Wechat Connect

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

The WeChat pairing purpose is coherent, but the skill automatically runs an unpinned installer, changes OpenClaw messaging settings, and exposes sensitive login state through a local HTTP/status flow.

GuidanceBefore installing, confirm you trust the publisher and the npm package, prefer a pinned/reviewed installer version, and be aware the skill will store WeChat account data and enable a WeChat channel in OpenClaw. Do not proceed unless the local HTTP status endpoint is fixed to avoid exposing tokens and you know how to disable or revoke the pairing.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
SKILL.md
未安装 → 自动执行安装 ... npx -y @tencent-weixin/openclaw-weixin-cli@latest install

The skill documents automatic execution of a remote npm installer using @latest, so the code that runs at install time is not pinned to the reviewed skill version.

User impactInstalling the skill may run newly published installer code from npm as the local user, even if that code was not part of the reviewed artifacts.
RecommendationPin the installer version, publish a clear install spec/provenance, and require an explicit user confirmation before running the npm installer.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
openclaw config set channels.openclaw-weixin.enabled=true ... dmPolicy=allowlist ... allowFrom=[<userId>] ... Gateway 在后台自动重启

The skill changes OpenClaw channel configuration and restarts the gateway as part of the automatic pairing flow, without documenting a separate approval, rollback, or containment step.

User impactThe skill can alter how OpenClaw receives WeChat messages and keep the channel enabled after the setup flow finishes.
RecommendationShow the exact configuration changes before applying them, ask for confirmation, and provide clear disable/rollback instructions.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
WARNING: Plugin "openclaw-weixin" contains dangerous code patterns ... 安装完成后警告可忽略,插件正常运行。

The security note tells users to ignore a dangerous-code warning for the plugin while the skill also auto-installs an unpinned external package.

User impactUsers may be discouraged from reviewing a real security warning before allowing installation and account pairing.
RecommendationDo not tell users to ignore warnings; instead explain the exact capabilities, link to reviewed source/provenance, and let the user decide before installation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
写入 ~/.openclaw/openclaw-weixin/accounts/{id}.json ... 账号 token 必须与 ilink_bot_id 匹配

The skill necessarily pairs and persists a WeChat account token for the integration, which is purpose-aligned but sensitive account authority.

User impactAfter pairing, OpenClaw and the installed plugin may be able to act through the connected WeChat account/channel according to the plugin’s permissions.
RecommendationInstall only if you trust the publisher and plugin, verify stored account-file permissions, and know how to revoke or remove the paired account.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityHighConfidenceHighStatusConcern
scripts/start.mjs
server.listen(HTTP_PORT, () => { ... }); ... 'Access-Control-Allow-Origin': '*'; res.end(JSON.stringify(readStatus())); ... updated.botToken = data.bot_token;

The status API returns the full status object with permissive CORS, while the login flow places sensitive WeChat login material such as botToken into that status object after confirmation.

User impactOther local web pages or reachable clients could read WeChat pairing status or session material from the local server.
RecommendationBind only to 127.0.0.1, remove wildcard CORS, never return bot tokens from the browser status endpoint, store temporary state in a private directory with restrictive permissions, and close the server after pairing.