Skillv1.0.2

ClawScan security

macos-wechat-send · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 12:52 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (automating WeChat on macOS), with only minor hygiene issues to review before use.
Guidance: This skill appears to do what it says: drive WeChat via AppleScript and clipboard. Before installing or running it: 1) Inspect the bundled scripts yourself (they are included) to verify no unexpected network calls or extra commands. 2) Be aware you will need to grant Accessibility permissions to your terminal/osascript—this allows UI control and is required for the functionality. 3) The tool uses the clipboard and copies files via Finder—avoid running it when you have sensitive clipboard contents. 4) Note the skill writes a small state file (~/.openclaw/.../.last_contact) containing the last contact name; remove or relocate it if you prefer not to persist that data. 5) The shell wrapper includes a hardcoded path (/Users/sincere/...); adjust the virtualenv path on your machine if needed. If you want higher assurance, run the scripts in a controlled account or review/modify them before use.

Review Dimensions

Purpose & Capability: okName/description match behavior: AppleScript + clipboard + Finder automation to send text/files via WeChat Mac. Required system items (macOS, WeChat running, accessibility permission) align with the stated purpose. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to activate WeChat, manipulate clipboard, run AppleScript (osascript), and interact with Finder—all necessary for GUI automation. The runtime will read/write a small state file (~/.openclaw/...) to track last contact; this is within scope but worth noting since it stores the last-contact name on disk. The scripts operate on local files only and do not attempt network exfiltration.
Install Mechanism: okNo install spec—instruction-only with bundled scripts. No external downloads or package installs are performed by the skill itself, minimizing install-time risk.
Credentials: noteThe skill requires no environment variables or credentials. It does read/write a state file under the user's home (~/.openclaw/...), and the shell wrapper contains a hardcoded fallback path (/Users/sincere/.openclaw/...), which appears to be a developer artifact and may fail on other machines or leak a username if repackaged. No sensitive tokens are requested.
Persistence & Privilege: okalways:false and no modification of other skills or system-wide config. The only persistent effect is the state file storing the last-contact name; the skill also requires macOS Accessibility permission for the terminal/osascript to control the UI, which is standard for this kind of automation.