微信 ClawBot 插件安装
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The setup is mostly coherent for connecting WeChat, but it converts the WeChat login QR code into a third-party URL that may expose login QR data outside OpenClaw.
Before installing, decide whether you are comfortable sending WeChat login QR data to api.qrserver.com. If not, use a local terminal QR display or a local QR image generator. Also verify the npm package before running the @latest install command.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A third-party QR service may receive data associated with your WeChat login/linking flow, which could expose sensitive authentication context or account-linking information.
The patch places the QR-code input, which is used for WeChat login, into a third-party QR generation URL. Opening that URL would disclose the login QR payload to qrserver.com, but the skill does not clearly explain this credential-like data exposure.
var imageUrl = "https://api.qrserver.com/v1/create-qr-code/?size=400x400&data=" + encoded;
Only use this patch if you trust the QR service. Prefer generating the QR image locally, using a real terminal that can display the ASCII QR code, or using a QR renderer that does not send the login payload to an external service.
The installed code may change over time, and the reviewed artifacts do not show the contents of the npm package that will be executed.
The setup depends on running the latest version of a remote npm package. This is purpose-aligned for installing a plugin, but it is unpinned and not covered by an install spec in the provided artifacts.
npx -y @tencent-weixin/openclaw-weixin-cli@latest install
Verify the npm package source and publisher before running it, and consider pinning a known-good version instead of using @latest.
The WeChat plugin’s dependency behavior will be changed locally, and plugin updates may overwrite or conflict with the patch.
The helper script directly modifies an installed JavaScript dependency under the OpenClaw extension directory. This is disclosed and aligned with the QR-display purpose, but it changes runtime code outside a normal package update flow.
sed -i '/var qrcode = new QRCode(-1, this.error);/c\\ ... ' "$QR_MAIN"
Review the patch before running it, keep the backup file, and reapply or remove the patch deliberately after plugin updates.