Webhook Robot
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—send webhook messages—but it uses bot keys/tokens and posts content to external chat services, so users should verify recipients and secrets.
Before installing or using this skill, make sure you trust the webhook destinations and understand that any content you provide may be posted to external chat or notification services. Treat bot tokens, webhook keys, and secrets like passwords; avoid sharing them in logs or command history, and rotate them if exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages could be sent to a chat, group, or notification channel using the supplied bot credentials.
The skill exposes scripts that can send user-supplied content to external chat or notification services. This is purpose-aligned, but message-sending tools can affect public or team-visible spaces if invoked with valid credentials.
python3 scripts/send_telegram.py --token "BOT_TOKEN" --chat_id "CHAT_ID" --content "Hello"
Confirm the destination and message content before using the skill, especially for shared, public, or work channels.
Anyone with these keys or tokens may be able to send messages through the corresponding bot or webhook.
Webhook tokens and secrets act as delegated authority for bot accounts. This is expected for the integration, but users should treat them as credentials.
parser.add_argument('--token', required=True, help='DingTalk access token')
parser.add_argument('--secret', help='DingTalk secret (optional, for security)')Use only tokens for bots you control, avoid exposing tokens in shared logs or shell history, and rotate/revoke tokens if they are accidentally disclosed.
Message content, including any sensitive text placed in the content field, will be transmitted to the selected webhook endpoint.
The script can send message content to a full webhook URL supplied at runtime. This is central to the skill's purpose, but the data boundary depends on the supplied URL.
group.add_argument('--url', help='The full webhook URL')
...
req = urllib.request.Request(url, data=json.dumps(data).encode('utf-8'), headers=headers)Only use trusted webhook URLs and avoid sending secrets, private documents, or confidential data unless the destination is appropriate.