Webhook Robot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages could be sent to a chat, group, or notification channel using the supplied bot credentials.
The skill exposes scripts that can send user-supplied content to external chat or notification services. This is purpose-aligned, but message-sending tools can affect public or team-visible spaces if invoked with valid credentials.
python3 scripts/send_telegram.py --token "BOT_TOKEN" --chat_id "CHAT_ID" --content "Hello"
Confirm the destination and message content before using the skill, especially for shared, public, or work channels.
Anyone with these keys or tokens may be able to send messages through the corresponding bot or webhook.
Webhook tokens and secrets act as delegated authority for bot accounts. This is expected for the integration, but users should treat them as credentials.
parser.add_argument('--token', required=True, help='DingTalk access token')
parser.add_argument('--secret', help='DingTalk secret (optional, for security)')Use only tokens for bots you control, avoid exposing tokens in shared logs or shell history, and rotate/revoke tokens if they are accidentally disclosed.
Message content, including any sensitive text placed in the content field, will be transmitted to the selected webhook endpoint.
The script can send message content to a full webhook URL supplied at runtime. This is central to the skill's purpose, but the data boundary depends on the supplied URL.
group.add_argument('--url', help='The full webhook URL')
...
req = urllib.request.Request(url, data=json.dumps(data).encode('utf-8'), headers=headers)Only use trusted webhook URLs and avoid sending secrets, private documents, or confidential data unless the destination is appropriate.