WeChat CC
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
This skill is a coherent WeChat-to-Claude gateway, but it includes a remote auto-execution path that can run Claude with permission checks disabled.
Install only if you intentionally want WeChat to control Claude Code. Avoid --auto-exec, or remove the permission-skipping flag and add sender allowlists first; protect WeChat/OceanBus state files, verify new routes, and prefer pinned dependency installs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If auto-exec is enabled, a remote message could make Claude act on the local project and send results back without the usual permission review.
In auto-exec mode, any non-self OceanBus message text is passed to Claude in the current working directory with Claude's normal permission prompts disabled; the visible code does not require the sender to match a configured gateway before execution.
if (msg.from_openid === creds.openid) return; ... if (AUTO_EXEC && text.trim()) { ... spawn('claude', ['-p', text, '--dangerously-skip-permissions'], { cwd: process.cwd(), ... }); }Do not enable --auto-exec unless you fully trust the message source; remove '--dangerously-skip-permissions', add a strict sender allowlist, and require per-message approval for file or command actions.
In a multi-user gateway, one user's route command could affect where later messages are sent for other users or agents.
Route changes are saved to a single shared routes.json file; the visible command handler mutates routes and defaults without showing per-user route storage or an admin authorization check.
const ROUTES_FILE = path.join(STATE_DIR, "routes.json"); ... case "/addroute": { ... rt.routes[prefix] = { openId, name, addedAt: new Date().toISOString() }; ... saveRoutes(rt); } ... case "/default": { ... rt.default = prefix; saveRoutes(rt); }Scope route tables per WeChat user or require explicit administrator approval for /addroute, /removeroute, and /default changes.
Anyone who can control the linked WeChat session may be able to approve or deny Claude Code tool calls remotely.
The skill intentionally delegates Claude Code tool-approval decisions to WeChat yes/no replies, which is purpose-aligned but gives the linked WeChat account meaningful authority over local agent actions.
权限转发:CC 工具调用审批 → 微信 → 回复 yes/no 远程授权
Use only a trusted WeChat account, monitor approval prompts carefully, and log out or rotate state if the account or device may be compromised.
Sharing or leaking the wxOpenId could let an unexpected agent try to register a route with the gateway.
Agent registration is designed around sending an announce message to a wxOpenId; that is central to the product, but it makes the wxOpenId and routing approval boundary sensitive.
Agent 不需要扫码。知道 wxOpenId 后,向它发送 announce 即可自动注册。 ... Gateway 收到 → 自动添加路由 /cc-qMaP → qMaP...
Share wxOpenId only with trusted agents, review newly announced routes, and prefer explicit approval or allowlisting for new agent registrations.
A future dependency or repository change could affect what code runs in the remote-control gateway.
The documented standalone setup installs latest dependency versions and immediately runs the local script, which is a user-directed but less reproducible supply-chain path.
git clone https://github.com/ryanbihai/wechat-cc.git && cd wechat-cc; fi && npm install oceanbus@latest weixin-bot-plugin@latest && node standalone.cjs
Prefer pinned versions, npm ci with a reviewed lockfile, and install from a trusted, verified source.