ClawHub

Wxpush

v0.1.1

微信模板消息推送 skill。支持三种 wxpush API 格式:edgeone(默认)、wxpush(frankiejun 项目)、go-wxpush。使用场景:发送微信推送消息、配置 wxpush 环境。

1· 109·0 current·0 all-time
by@shisheng820
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, python3), and the documented behaviors align: reading a local config and sending HTTP requests to a wxpush endpoint is expected for this skill. One small note: the SKILL.md expects a config file at ~/.config/wxpush/wxpush.env (containing tokens/AppID/Secret) even though no required env vars were declared — this is reasonable for an instruction-only skill but worth noting.
Instruction Scope
Instructions confine themselves to creating/reading ~/.config/wxpush/wxpush.env and performing HTTP POST/GET to the configured WXPUSH_API_URL using curl (or Python fallback). They do not attempt to read other system files or unrelated environment variables. Important security implication: the instructions explicitly send AppID/Secret/Token to the configured endpoint (and by default to documented third‑party endpoints), so secrets in the local config will be transmitted to remote services.
Install Mechanism
No install spec and no code files — this is instruction-only and does not write or execute bundled binaries. Lowest install risk.
Credentials
The skill requests no platform environment variables but directs the user/agent to store sensitive values in ~/.config/wxpush/wxpush.env (token, appid, secret). That is proportionate to the functionality, but storing secrets in a local file and transmitting them to remote endpoints (especially the default third‑party endpoints) is the main risk vector and should be considered before use.
Persistence & Privilege
always is false and there is no attempt to modify other skills or system settings. The skill is user-invocable and can be run autonomously by the agent (the platform default) — not a standalone concern here.
Assessment
This skill appears to do what it says: it reads/writes ~/.config/wxpush/wxpush.env and sends messages to a configured HTTP endpoint using curl or python. Before installing or using it: (1) Understand that your WXPUSH_API_TOKEN, WXPUSH_APPID and WXPUSH_SECRET (if set) will be sent to the configured endpoint — the default endpoints mentioned in the docs are third‑party services; only use them if you trust those operators. (2) If you have security/privacy concerns, deploy your own server and set WXPUSH_API_URL to your instance. (3) Keep the config file permissions restrictive (the docs suggest 600) and avoid putting other secrets there. (4) Because this is instruction-only, there's no bundled code to review — the runtime actions are exactly those in SKILL.md; review those curl/python snippets to confirm they meet your policies. (5) Allow agent/autonomous invocation only if you are comfortable the agent may send test messages using stored credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk974q9ggfcry8aj0dmrncdpzx183epv3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
Binscurl, python3

Comments