ClawHub

Wecom

v1.0.3

Send messages to WeCom (企业微信) via webhooks using MCP protocol. Works with Claude Code, Claude Desktop, and other MCP clients.

8· 4.1k·28 current·28 all-time
bychristo@qidu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (WeCom webhook sender) matches the code and SKILL.md. The runtime code posts message payloads to the webhook URL and exposes the stated tools (send_wecom_message, send_wecom_markdown, send_wecom_markdown_v2).
Instruction Scope
SKILL.md instructions are narrowly scoped to installing dependencies, building, setting WECOM_WEBHOOK_URL, and registering the MCP entrypoint. The instructions do not request unrelated files, system credentials, or network endpoints beyond the configured webhook and benign image URLs used in documentation.
Install Mechanism
There is no platform-level install spec, but the package includes package.json/package-lock and SKILL.md instructs npm install and build. Dependencies (axios, @modelcontextprotocol/sdk) come from npm — a normal pattern but means npm will fetch third-party packages at install time. No arbitrary download URLs or archive extraction were found.
Credentials
Runtime requires a single webhook URL (WECOM_WEBHOOK_URL) and an optional timeout (WECOM_TIMEOUT_MS) — appropriate for the stated purpose. However, registry metadata reported 'required env vars: none' while skill.json and SKILL.md declare WECOM_WEBHOOK_URL as required; this metadata mismatch should be resolved before trusting automated installers.
Persistence & Privilege
Skill is not always-enabled, is user-invocable, and does not request system-wide privileges or modify other skills. It runs as a normal MCP server over stdio and does not persist credentials or change system configuration.
Assessment
This skill appears to do exactly what it says: post messages to a WeCom incoming webhook. Before installing: 1) supply a trusted WECOM_WEBHOOK_URL (the skill will send whatever text/markdown you pass to that URL); 2) be aware npm install will fetch third-party packages (axios and an MCP SDK) — only install if you trust those sources; 3) note a metadata inconsistency: registry metadata lists no required env vars but SKILL.md/skill.json require WECOM_WEBHOOK_URL — double-check the skill's env settings in any automated installer to ensure you don't accidentally expose the webhook or omit the required variable; 4) avoid putting sensitive secrets into messages sent by this skill and do not share the webhook URL publicly (it can be used by anyone who has it). If you want extra assurance, inspect the package.json/package-lock contents and run npm install in an isolated environment first.
dist/index.js:16
Environment variable access combined with network send.
src/index.ts:18
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk979r79qm4dqc4trdqssmczhc584d2j5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments