Back to skill
Skillv2.1.0
VirusTotal security
Wechat Connect · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:20 AM
- Hash
- ea5e43adcaa0f4b9c33cc3bac1e2b5ebacb87667c9a14b8618a51fa2bacc6641
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wechat Version: 2.1.0 The skill automates the installation of a WeChat plugin by executing remote code via 'npx -y @tencent-weixin/openclaw-weixin-cli@latest install' and starting a local HTTP server on port 8765 to facilitate a QR code login flow. While these actions are consistent with the stated purpose, the combination of remote package execution, local service hosting, and explicit instructions in SKILL.md to ignore security warnings regarding 'dangerous code patterns' (environment variable access and network communication) presents a significant security risk. The script also modifies local configuration files and restarts the OpenClaw gateway, which are high-privilege operations.
- External report
- View on VirusTotal