WeChat Send
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If untrusted text is passed as a contact name or message, it could potentially run unintended local AppleScript or shell actions as the user, not just send a WeChat message.
The contact and message values are user-controlled and are embedded directly into AppleScript source without AppleScript-safe escaping. Crafted quotes or AppleScript syntax could change what osascript executes.
CONTACT="$1" MESSAGE="$2" ... osascript -e "... set the clipboard to \"$CONTACT\" ..." ... osascript -e " set the clipboard to \"$MESSAGE\"
Pass values to osascript safely, such as through argv/stdin/environment variables with proper AppleScript quoting, and reject or encode dangerous characters before execution.
A message or file could be sent to the wrong WeChat contact if search results are ambiguous or the UI focus is wrong.
The workflow automatically selects the first WeChat search result and sends immediately. This is disclosed and purpose-aligned, but it has real account-impact if the recipient match is ambiguous.
Types the contact name, selects the first result (Enter)... Pastes the message from clipboard (Cmd+V) and sends (Enter)... If the contact search returns wrong results, the message goes to the wrong person
Use exact contact names, avoid batch sends unless reviewed carefully, and consider adding a confirmation step before pressing Enter to send.
While running, the automation can act through the user's WeChat account and the Accessibility grant to node is broader than WeChat alone.
The skill relies on the user's existing WeChat login and a broad macOS Accessibility permission to control the desktop UI.
WeChat for Mac installed and logged in... macOS Accessibility permission granted to `node`
Grant Accessibility permission only if you trust the skill and runtime, monitor sends, and revoke the permission when no longer needed.