ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weixin Send Media

v1.0.2

Send images, PDFs, and other local files into an OpenClaw Weixin chat. Use when the user asks to send a picture, screenshot, PDF, document, attachment, or ot...

0· 139·0 current·0 all-time
by@starlxa

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for starlxa/weixin-sender.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weixin Send Media" (starlxa/weixin-sender) from ClawHub.
Skill page: https://clawhub.ai/starlxa/weixin-sender
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weixin-sender

ClawHub CLI

Package manager switcher

npx clawhub@latest install weixin-sender
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (send images/PDFs/attachments to an OpenClaw Weixin chat) aligns with the instructions (create/select a local file and send via the OpenClaw CLI). However, the SKILL.md explicitly requires running the 'openclaw' CLI while the skill metadata lists no required binaries—this mismatch should be resolved or documented.
!
Instruction Scope
Instructions permit using arbitrary absolute local paths and copying files from project folders into a deliveries/* directory before sending. There is no explicit constraint or confirmation step to prevent sending sensitive system files. The SKILL.md also expects access to 'trusted inbound metadata' (account_id, chat_id) but the metadata source and availability are not documented in the registry entry.
Install Mechanism
This is an instruction-only skill (no install spec, no code files), which minimizes disk-install risk. Still, it depends on the presence of the OpenClaw CLI at runtime but does not declare that binary as required in the registry—an inconsistency to fix.
Credentials
The registry requests no environment variables or credentials. The SKILL.md relies on inbound chat metadata (account_id and chat_id) rather than env vars, which is plausible, but the dependency on that metadata should be documented. No other credentials are requested, which is proportionate.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request persistent presence or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill does what it says (sending local files to a Weixin chat) but before installing consider: 1) Confirm the OpenClaw CLI is available on agents that will run this skill — the SKILL.md uses 'openclaw' but the registry did not declare it as a required binary. 2) Understand and verify how 'trusted inbound metadata' (account_id, chat_id) is provided and ensure it cannot be spoofed. 3) Require explicit user confirmation before sending files outside project/deliveries or from sensitive system paths; otherwise the skill could be used to send arbitrary local files. 4) If you want to limit risk, restrict the agent's filesystem access or disallow use of absolute paths, or reject the skill unless it documents the CLI dependency and adds safeguards (prompting before sending files outside approved directories).

Like a lobster shell, security has layers — review code before you run it.

latestvk971xr59nbs966ybtwnvwah6z583mdt4
139downloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
@starlxa
latest
Download

weixin-send-media

Use this skill when the current channel is openclaw-weixin and the user wants a file or image delivered into chat.

Rules

  • Prefer sending the file directly instead of telling the user where it is.
  • Always use an absolute local path for generated files.
  • Before sending a user-facing export/share file, place it under deliveries/YYYY-MM-DD/HHMMSS/.
  • If the source file belongs to a project folder, keep the source there and create a share/export copy in the delivery folder.
  • If you need a test asset, generate a tiny file first, then send it.
  • For this environment, if no first-class messaging tool is available, use the OpenClaw CLI.

Send with CLI

Use:

openclaw message send \
  --channel openclaw-weixin \
  --account <account_id> \
  --target <chat_id_or_user_id> \
  --message "<optional caption>" \
  --media /absolute/path/to/file

Where to get values

  • account_id: use the trusted inbound metadata account_id for the current chat.
  • target: use the trusted inbound metadata chat_id for the current chat.
  • media: absolute path to the file you created or selected.

Typical uses

  • Send a generated PDF.
  • Send a generated PNG/JPG screenshot.
  • Send a DOCX/XLSX/PPTX file.
  • Send a local attachment as a quick delivery step after creating it.

Verification

After sending, briefly ask the user whether they received it.

Example

openclaw message send \
  --channel openclaw-weixin \
  --account 30c94de8bd87-im-bot \
  --target o9cq8086Br1CV1qVLcKn5WqTRpTE@im.wechat \
  --message "测试文件" \
  --media /root/.openclaw/workspace-wx-30c94de8/test.pdf

Comments

Loading comments...