Back to skill
Skillv1.0.1
ClawScan security
Wecom Add Friend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 8:33 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose (automating Enterprise WeChat GUI actions on Windows); it does GUI automation and does not request unrelated credentials or network access.
- Guidance
- This skill automates your mouse and keyboard to interact with the Enterprise WeChat PC client. Before using it: (1) verify you trust the script; (2) run the --setup flow while following prompts so coordinates are correct; (3) test with harmless/test phone numbers first to ensure it targets the correct window; (4) ensure WXWork is logged in and visible; (5) be aware the script can click anywhere if it misidentifies the window — keep a hand on the mouse/keyboard or use the FAILSAFE (move mouse to top-left) to abort; (6) ensure Python and required GUI libs (pyautogui, pygetwindow) are installed from trusted sources. If you need stronger guarantees, inspect the full script locally or run it in a controlled/test environment.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python), included script (bin/wecom_auto_add.py), and SKILL.md instructions all consistently implement Windows GUI automation for 企业微信 (WeCom) friend-adding. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- noteInstructions correctly direct the agent to run the included Python script and to perform a one-time coordinate setup. The script performs local GUI automation (mouse/keyboard clicks, window detection) and can start or detect WXWork.exe. Note: if the script fails to identify the WeCom window by title it falls back to picking the first non-minimized visible window, which could cause clicks to target the wrong application — this is a safety/usability risk but consistent with the skill's purpose.
- Install Mechanism
- okNo install spec; this is instruction-only with a single provided Python script. No downloads from external URLs or package registry installs are performed by the skill.
- Credentials
- okThe skill requires only a local Python runtime and the included script; it declares no environment variables, credentials, or external endpoints. That is proportionate to GUI automation of a desktop client.
- Persistence & Privilege
- okThe skill is not always-enabled and uses normal, local operations. It does not modify other skills/configs or request elevated platform privileges.