ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeChat Group Operator

v0.1.0

WeChat group operations automation for Windows desktop WeChat. Use when the user wants to run recurring group engagement workflows such as morning questions,...

0· 15·0 current·0 all-time
byKoi@jinhuadeng
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill implements scheduled posting from local content pools to WeChat groups, which aligns with its description. However the code hard-codes a sender script path (C:\Users\Lenovo\.openclaw\workspace\skills\wechat-desktop-sender\scripts\wechat_send.py) that is not declared in the metadata or SKILL.md as a dependency. That missing dependency is disproportionate to the stated functionality and should be documented or made configurable.
Instruction Scope
SKILL.md stays within the stated domain (editing group whitelist, content pools, dry-run/real send, cron). The runtime instructions rely on an external desktop sender capability but do not instruct the user how to obtain/install it or verify it. The code reads/writes only local asset files and does not access environment variables or network endpoints directly, which is appropriate — but it will execute the external sender script, giving that script full ability to run arbitrary code.
Install Mechanism
No install spec (instruction-only plus bundled script/assets). No remote downloads or package installs are performed by the skill itself.
Credentials
The skill requests no environment variables or external credentials. It only reads and writes local asset files. This is proportionate. Note: it references a path in the user's .openclaw workspace which may contain other tool artifacts — the path dependency should be explicit.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It writes its own post_history file (a reasonable local persistence). It does not modify other skills' configs, but it does invoke another skill's sender script by path.
What to consider before installing
This package mostly does what it says, but check two things before using or scheduling it: - Sender script dependency: The code calls a hard-coded local sender script at C:\Users\Lenovo\.openclaw\workspace\skills\wechat-desktop-sender\scripts\wechat_send.py. Make sure that file exists and is from a trusted source. Because the skill runs that script with Python, that script can execute arbitrary code on your machine — review its contents before running. - Missing history file: The code expects assets/post_history.json but that file is not present in the package manifest. Create an initial assets/post_history.json (e.g., {"posts": []}) or add handling for a missing history file to avoid runtime errors. - Operational safety: Always run --dry-run first and inspect the produced message text. Only attach to cron after you confirm sends are correct and the sender script is trusted. Consider modifying the skill to make the sender path configurable (env var or config) instead of hard-coding a user-specific path, and to fail clearly if the sender script is missing. If you cannot inspect or verify the sender script, treat this skill as risky because it executes another local program with full code-execution ability. If you can verify and/or change the hard-coded path to a known-good sender, the skill is reasonable for its intended purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcmd9yk89fgvzpfajcnafqh8549bf
15downloads
0stars
1versions
Updated 4h ago
v0.1.0
MIT-0
Koi@jinhuadeng
latest
Download

wechat-group-operator

Use this skill to operate designated WeChat groups on a recurring schedule.

What this skill provides

  • group whitelist config
  • content pools for questions / followups / cases
  • post history to reduce repeats
  • execution script for one action at a time
  • compatibility with OpenClaw cron jobs

Files

Core files:

  • scripts/wechat_group_operator.py
  • assets/groups.json
  • assets/post_history.json
  • assets/content/questions.json
  • assets/content/followups.json
  • assets/content/cases.json

Supported actions

  • morning_question
  • afternoon_followup
  • evening_case

Quick start

Dry run

python scripts/wechat_group_operator.py --action morning_question --dry-run
python scripts/wechat_group_operator.py --action evening_case --group "Core突击龙虾🦞" --dry-run

Real send

python scripts/wechat_group_operator.py --action morning_question
python scripts/wechat_group_operator.py --action afternoon_followup
python scripts/wechat_group_operator.py --action evening_case

Recommended workflow

  1. Edit assets/groups.json to maintain target group whitelist
  2. Edit content pools under assets/content/
  3. Dry run first
  4. Run real send manually
  5. Attach to OpenClaw cron when stable

OpenClaw routing guidance

Map user intent like this:

  • “上午往群里抛一个问题” → morning_question
  • “下午追问一下群里讨论” → afternoon_followup
  • “晚上发一个案例到群里” → evening_case
  • “给指定群先预演一下今天会发什么” → add --dry-run

Boundaries

Current MVP assumes:

  • groups are manually whitelisted
  • content comes from maintained pools
  • one action runs at a time
  • sending uses existing desktop WeChat sender capability

Do not claim support yet for:

  • automatic discovery of groups where the user is owner
  • automatic web research and content generation inside this skill
  • advanced WeChat content forwarding/media posting

Read more when needed

  • references/config.md
  • references/actions.md
  • references/cron-setup.md

Comments

Loading comments...