CEO小茂能力包
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: ceo-xiaomao Version: 1.8.2 The skill bundle provides a comprehensive suite for business automation, including Google Maps scraping, bulk email/WhatsApp messaging, and an AI-driven WhatsApp auto-responder. While the code aligns with the stated purpose, it contains high-risk behaviors such as automated network requests, file downloads from external messaging platforms (auto_reply.py), and the execution of system commands via subprocess. Notably, scripts/oneabc.js employs a minor obfuscation technique by splitting the 'Authorization' string ('Author' + 'ization') to potentially evade static analysis or security filters. These capabilities, combined with the handling of multiple service credentials, justify a suspicious classification despite the lack of clear evidence of malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with real WhatsApp credentials, the skill may send AI-generated business messages or product files to customers or newly discovered contacts without the user reviewing each message.
The assistant is designed to automatically monitor WhatsApp contacts and send replies/files, which is high-impact outbound communication without visible per-message approval or recipient scoping.
WhatsApp 全自动跟单增强版 ... 3. 📄 发送产品图册 PDF ... 7. 🔍 自动发现新联系人 → 主动监听起来
Use a test account first, add explicit contact allowlists, dry-run/preview mode, send limits, and human approval before enabling unattended replies or file sending.
Customer messages or image context could be processed by an unknown agent configuration, and that agent's output may drive external WhatsApp replies.
Customer-derived prompts are passed to a configurable OpenClaw agent, but the artifacts do not define that agent's identity, tools, data boundaries, or validation before replies may be sent onward.
[openclaw_bin, 'agent', '--agent', AI_AGENT, '--message', prompt_text, '--timeout', '25']
Bind this workflow only to a reviewed, least-privilege agent; sanitize untrusted customer input; log prompts/outputs; and require approval before sending generated replies.
Compromise or misuse of these credentials could send messages, emails, or model requests under the user's business accounts.
These environment variables grant access to email, model API, and WhatsApp/Green API accounts. This is expected for the stated integrations, but it is sensitive authority.
`MAIL_ACCOUNT`, `MAIL_CREDENTIAL`; `ONEABC_ACCESS_CREDENTIAL`; `GREEN_API_URL`, `GREEN_API_INSTANCE_ID`, `GREEN_API_CREDENTIAL`
Use dedicated accounts or app-specific tokens, keep credentials out of files, verify service URLs, rotate tokens, and limit account permissions where possible.
Customer/contact data and assistant state can remain on disk and be reused in later sessions.
The workspace initializer creates persistent state files for customer lists, notifications, and reply state.
'.known_customers.json' ... '.boss_notifications.json' ... '.auto_state_v3.json'
Store the workspace in a protected directory, periodically review/delete state files, and avoid placing sensitive customer data in shared folders.
Users may need to install local dependencies manually, and there is less provenance assurance for the included automation code.
The bundle includes runnable scripts but no install specification, dependency pinning, or source provenance.
Source: unknown ... No install spec — this is an instruction-only skill.
Review the scripts before use and install dependencies from trusted, pinned sources in an isolated environment.