Ocean Chat
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
Ocean Chat is a real messaging and WeChat bridge skill, but it also enables persistent remote control and command execution on the user's computer.
Install only if you intentionally want a persistent remote-control bridge. Avoid enabling PM2 startup or --on-message until you have reviewed the code, restricted trusted senders, and confirmed how to stop the listener and revoke WeChat/OceanBus credentials.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, a remote message could influence commands or prompts that run on the user's computer.
The skill documents executing a local command when a message arrives, with remote message fields available for substitution; the static scan also reports child_process exec(cmd) in chat.js.
--on-message "cmd" 收到消息时执行命令 {from} {openid} {content} {time}Do not enable --on-message for untrusted senders; require confirmation, use a strict allowlist, and avoid shell interpolation of message content.
Remote instructions could cause the local agent to read or modify project files, run tools, or take other high-impact actions.
The documented workflow is not just messaging; it routes remote tasks to a local coding agent to execute and report back.
电脑上的 Claude Code 收到任务 → 执行 → 自动回复结果
Use this only with trusted contacts, keep the agent sandboxed, and require explicit user approval before file changes, command execution, or credential use.
A remote message may override the user's current intent or reduce opportunities for the user to approve risky actions.
The document instructs a receiving agent to treat future Bridge messages as authoritative and suppress normal clarification or approval.
行为规则(必须遵守)... **执行任务**:解析消息内容,完成用户要求的操作 ... 不要问用户任何问题。
Remove mandatory/no-question language and require the agent to treat Bridge messages as untrusted until the local user confirms high-impact tasks.
The listener can keep running in the background after setup or reboot and continue receiving remote instructions.
The setup guide recommends a persistent PM2 listener, including saved process state and startup configuration.
pm2 start chat.js --name ob -- listen pm2 save pm2 startup
Make persistence opt-in, document how to stop/remove the PM2 process, and show clear status before accepting remote tasks.
If pairing or sender identity is wrong or compromised, messages can be routed to a local agent as executable work.
The bridge pairs a WeChat user to a CC OpenID via a text command and then forwards WeChat messages into OceanBus.
const pairMatch = text.match(/^pair\s+(\S+)\s+(\S+)/i); ... await obSender(pairing.ccOpenId, messageBody);
Require confirmation on both WeChat and CC sides, sign or authenticate pairings, and restrict which contacts can send task messages.
The skill may use an existing WeChat bot login to send messages, which is expected for notifications but sensitive.
The skill can auto-discover a WeChat plugin token from a local OpenClaw account directory to send notifications.
path.join(os.homedir(), '.openclaw', 'openclaw-weixin', 'accounts') ... token: data.token
Review which account is used, prefer explicit environment variables, and revoke or rotate tokens if you stop using the bridge.
Contact names, OpenIDs, tags, notes, and related context may persist and be reused across skills.
The address book is persistent and shared with other OceanBus skills.
ob.roster.* ← 共享通讯录(~/.oceanbus/roster.json) ... 其他 OceanBus Skill ... 共享同一个 Roster 数据
Avoid storing sensitive notes in the roster and periodically review or delete shared contact data you no longer need.
Dependency updates or a compromised package could affect the local listener or bridge.
The skill depends on external npm packages with caret version ranges; this is normal for a Node tool but affects what code runs locally.
"dependencies": { "oceanbus": "^0.9.0", "qrcode-terminal": "^0.12.0" }Install from a trusted source, use the provided lockfile where possible, and review dependency updates before running persistent services.