Back to skill
Skillv1.0.1
ClawScan security
Openclaw Wechat Mp Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 9:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only guide for connecting a WeChat public account to OpenClaw; the steps, required secrets, and file paths are coherent with the stated purpose and no unexpected behavior or installs are present.
- Guidance
- This guide appears legitimate and only instructs you how to configure a WeChat public account webhook with OpenClaw. Before proceeding: (1) only enter AppID/AppSecret and EncodingAESKey into OpenClaw if you trust the OpenClaw install — verify its provenance; (2) secure the server (TLS, firewall) and restrict access to your ~/.openclaw/config.yaml (correct file permissions); (3) avoid sharing AppSecret/AESKey publicly or via chat; (4) when you enable the webhook, validate the exact URL and token used by WeChat; (5) be cautious about contacting the listed personal contact for paid setup—prefer official channels. If you want a deeper check, provide the OpenClaw binary/source you plan to run so its behavior when storing/using the secrets can be reviewed.
Review Dimensions
- Purpose & Capability
- okThe name/description (WeChat MP integration) matches the instructions: obtaining AppID/AppSecret, configuring a webhook URL, setting Token/EncodingAESKey, and configuring OpenClaw. Nothing requested is unrelated to connecting a WeChat public account.
- Instruction Scope
- noteInstructions tell the agent/operator to input AppID/AppSecret and to write config under ~/.openclaw/config.yaml, start the OpenClaw service, and verify via the WeChat backend — all expected. Be aware the guide implies storing secrets locally and exposing a public URL (80/443) which are necessary for webhooks but require secure handling.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only so nothing will be downloaded or written by the skill itself.
- Credentials
- noteNo environment variables or external credentials are requested by the skill metadata. The runtime instructions legitimately require the WeChat AppID/AppSecret and encryption key to be entered into OpenClaw — this is proportional, but users should ensure those secrets are stored securely (file permissions, not uploaded to third parties).
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings in its instructions.