WeCom MCP Setup
v1.0.0企业微信 MCP 配置指南。当用户需要"添加企业微信"、"配置企微"、"启用企微消息"、"设置企业微信集成"时触发。提供完整的 MCP Server 配置、权限白名单设置和 Gateway 重启指引。
⭐ 0· 126·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WeCom MCP configuration) match the instructions: editing OpenClaw mcporter.json, adding a wecom_mcp server, enabling tool whitelist, restarting Gateway, and validating. The steps and commands (openclaw, mcporter list, gateway restart) are coherent with the stated goal.
Instruction Scope
Instructions are narrowly scoped to MCP setup: edit ~/.openclaw/workspace/config/mcporter.json to add a wecom_mcp entry, set tools.alsoAllow if needed, restart gateway, and verify with mcporter list. They explicitly instruct placing WECOM_CORP_ID / WECOM_AGENT_ID / WECOM_SECRET in the config file (plaintext), which is expected for this task but carries the usual secret-management risks. No unrelated system-wide reads or exfiltration steps are present.
Install Mechanism
There is no formal install spec in the registry (instruction-only). The SKILL.md instructs running the server via 'npx -y wecom-mcp-server', which will fetch and execute a package from the npm registry at runtime. This is coherent for running a node-based MCP server, but it introduces moderate risk because npx downloads third-party code on demand (possible supply-chain/typosquatting risk). The skill does not suggest pinning a package version or verifying package provenance.
Credentials
The skill does not request additional environment variables or external credentials from the registry metadata. The credentials it instructs the admin to provide (Corp ID, Agent ID, Secret) are exactly what a WeCom integration needs; their placement in a local config file is proportionate but should be treated as sensitive data.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It is instruction-only and does not request persistent elevated privileges or modify other skills. The runtime actions (editing a local OpenClaw config and restarting the Gateway) are appropriate for configuring the integration.
Assessment
This is a legitimate, coherent setup guide for adding a WeCom MCP server to OpenClaw, but take these precautions before following it: 1) Treat the WECOM_* values as sensitive — do not commit mcporter.json into version control; store secrets in an encrypted store or OS secret manager if possible. 2) The guide runs the MCP server via 'npx -y wecom-mcp-server' which downloads and executes code from npm on demand — verify the package name, publisher, and ideally pin a specific version (e.g., wecom-mcp-server@1.2.3) or use a vetted release build (GitHub release or org-maintained artifact). 3) If you cannot verify the npm package, consider installing the server from a trusted source or running it in an isolated environment (container or restricted host). 4) After initial setup, rotate the application secret if it was exposed during testing. 5) If you want stronger guarantees, ask the skill author for the upstream package repository or an official vendor reference before using npx to run it.Like a lobster shell, security has layers — review code before you run it.
latestvk97fyx2ccy04p24vf0hzyvfy8x840p4t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.