Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
mmxagent-skill-wechat
v1.0.1连接个人微信(不是企业微信)。用户说"连接个人微信"、"接入个人微信"、"绑定个人微信"、"个人微信扫码"时使用本 skill。注意:如果用户说的是"企业微信"或"企微",本 skill 不适用,请使用 wecom-connect skill。一旦匹配本 skill,必须严格按流程执行到底,不得跳步或自由发挥。
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (connect personal WeChat via OpenClaw) align with what the instructions do: install an openclaw/weixin plugin, call Weixin ilink APIs, generate a QR code, store returned credentials in ~/.openclaw/openclaw-weixin. No unrelated credentials or external services are requested beyond CDN upload for the QR image.
Instruction Scope
Instructions require running multiple shell commands, calling internal endpoints (ilinkai.weixin.qq.com), and writing returned bot_token/baseurl/user id values directly into a here-doc JS file and executing it. The spec mandates combining commands into single exec calls and explicitly inserts unescaped placeholders into shell/node strings (e.g., '<qrcode_img_content>' and '<bot_token>'). That creates a realistic risk of command or code injection if values are not properly sanitized. The flow also requires writing secret tokens to disk and restarting the openclaw gateway — these operations are within the task domain but are sensitive and should be inspected.
Install Mechanism
This is an instruction-only skill (no install spec). At runtime it instructs installing/upgrading packages with npx and npm (e.g., @tencent-weixin/openclaw-weixin-cli and global openclaw) and installing the qrcode npm package in /tmp. Downloading runtime packages from npm is expected for this task but still elevates risk vs. pure-instruction skills because arbitrary remote code will run locally.
Credentials
The skill declares no required env vars, which matches metadata, but the instructions read HOME and write credential files under HOME (~/.openclaw/openclaw-weixin/*). Storing bot_token plaintext on disk is necessary for the plugin to work but is sensitive. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes credential files into the user's OpenClaw plugin config and restarts the openclaw gateway — operations that change local system state and service behavior, which are coherent with purpose but are privileged and should be done with user awareness.
What to consider before installing
This skill appears to do what it claims, but review before running: 1) Inspect the exact commands the agent will execute — ensure returned API values (qrcode, bot_token, baseurl, user id) are safely escaped/quoted before being embedded into shell/node commands to avoid injection. 2) Be aware it will install/upgrade global npm packages and run npx/npm commands; run in a controlled environment if you don't want system-wide changes. 3) It will write sensitive bot_token and IDs to ~/.openclaw/openclaw-weixin/*.json — ensure you trust the plugin and environment, and consider the filesystem permissions and backup/exfil risk. 4) upload_to_cdn will publish the QR image to a CDN (potentially public); if that is a privacy concern, decline or ensure the CDN is trusted. 5) The skill will restart the openclaw gateway; expect a brief service interruption. If you are not comfortable with automated command execution, consider performing these steps manually or asking the maintainer for a version that sanitizes/validates all substituted values and prints commands for explicit user approval before exec.Like a lobster shell, security has layers — review code before you run it.
latestvk97bfmq35s60qx13gtn0qyjng584337y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.