Back to plugin

Security audit

OpenClaw WeCom

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed Enterprise WeChat integration, but it gives OpenClaw meaningful messaging, credential, file-media, and dynamic-agent authority that users should configure carefully.

Before installing, confirm you want OpenClaw to connect to Enterprise WeChat, receive messages, send replies/files, and optionally create dynamic agents. Use narrow WeCom credentials, restrict allowed users/groups and media roots, and avoid running the remote SSH scripts unless you intentionally need those maintenance operations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/set-reasoning-stream-remote.js:139
Evidence
const child = spawn("ssh", [host, ...remoteArgs], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wecom-mcp-remote-call.js:765
Evidence
const result = spawnSync("ssh", [options.host, remoteCommand], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wecom-mcp-remote-probe.js:713
Evidence
const result = spawnSync("ssh", [options.host, remoteCommand], {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/wecom-mcp-remote-call.js:266
Evidence
const stateDir = String(process.env.OPENCLAW_STATE_DIR ?? "").trim();

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/wecom-mcp-remote-probe.js:251
Evidence
const stateDir = String(process.env.OPENCLAW_STATE_DIR ?? "").trim();

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
wecom/http.js:87
Evidence
process.env.WECOM_EGRESS_PROXY_URL || ""