ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wechat Send

v2.0.1

Send a message to a contact or group via macOS WeChat desktop client. Use when the user asks to send a WeChat message, message someone on WeChat, or reply to...

0· 87·0 current·0 all-time
byLnation@chuntong007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to send WeChat messages on macOS and the skill requires WeChat, Accessibility permission, and cliclick — all directly relevant. The included script performs UI automation, OCR, and paste/send operations that match the claimed capability.
Instruction Scope
SKILL.md and the script only direct local operations: activate/rescale the WeChat window, search, take screenshots under /tmp, run local Swift OCR, and paste/send text. This matches the purpose. Note: the skill explicitly asks the agent to read /tmp/wechat_search_dropdown.png when fallback occurs — that screenshot can contain sensitive information (contact names, partial conversation snippets), so agent access to these files is expected but is a privacy consideration.
Install Mechanism
Install uses a Homebrew formula (cliclick), a standard and well-known package source for macOS. No downloads from untrusted URLs or arbitrary archives are used.
Credentials
No environment variables or external credentials are requested. The script uses temporary files in /tmp for clipboard content and screenshots — functionally necessary for CJK/multiline clipboard handling and OCR, but these artifacts may persist temporarily and are accessible to other local processes.
Persistence & Privilege
Skill is not always-on and does not require elevated system privileges beyond standard Accessibility permissions for UI scripting. It does not modify other skills or system-wide configuration. Autonomous invocation is allowed by default but is not combined with broad credentials or other red flags.
Assessment
This skill appears to do what it says: automate the macOS WeChat desktop UI to send messages. Before installing, consider: (1) You must grant Accessibility permissions and have WeChat logged in. (2) The script saves screenshots and a temporary clipboard file under /tmp (e.g., /tmp/wechat_search_dropdown.png, /tmp/wechat_verify_title.png, /tmp/wechat_send_clip.txt); these may contain sensitive text and are readable by other local users/processes — clean them if needed. (3) Installation uses Homebrew's cliclick (standard). (4) If you want to limit risk, review the provided script yourself and run it in a controlled environment, and avoid giving the agent autonomous ability to run the skill if you prefer manual control.

Like a lobster shell, security has layers — review code before you run it.

latestvk97384snn9yfn8ny95a78xkq4n84f7j3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
OSmacOS
Binscliclick

Install

安装 cliclick(brew)
Bins: cliclick
brew install cliclick

Comments