Back to skill
Skillv2.1.3
ClawScan security
Huo15 Openclaw Wechat Service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 2:34 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin appears to implement the described WeChat integration, but there are several inconsistencies (missing declared env requirements, surprising transitive deps in the lockfile, and a prompt-injection signal in SKILL.md) that merit caution before installation.
- Guidance
- What to consider before installing: - Confirm the missing declared envs: the registry lists no required environment variables but SKILL.md and code need per-account WeChat secrets (appId/appSecret/token/encodingAESKey) and optionally Odoo credentials. Do not supply global/privileged credentials without understanding scope — create least-privilege service accounts where possible. - Review package contents locally before installing: check package.json and package-lock.json for unexpected or large transitive dependencies (the included lockfile shows many AWS/Anthropic-related packages that are surprising for a WeChat plugin). If you rely on npm install, prefer to inspect the published package on npmjs.org and verify the tarball contents match the repository. - Host and webhook exposure: the plugin registers HTTP webhook routes (e.g., /plugins/wechat-service/{accountId}). Ensure your OpenClaw host's network exposure and firewall/IP whitelisting are configured correctly before you point WeChat at it. The README even instructs to add your egress IP to WeChat IP whitelist — do that from a controlled environment. - Secrets handling: SKILL.md suggests syncing knowledge to Odoo using username/password. Consider alternatives (tokened service account) and avoid reusing admin credentials. Keep credentials out of shared shells and CI logs. - Prompt-injection and file integrity: the SKILL.md contains unicode-control-chars detection. Ask the maintainer for a sanitized SKILL.md and verify the files (README, CHANGELOG, code) are unmodified and come from the expected repository URL before trusting the plugin. - Test in isolation: run the plugin in a sandbox or staging OpenClaw instance (not production) to verify behavior, especially admin-only permissionMode handling and which actions are blocked. Inspect the authorization code (src/shared/authorization.ts) to confirm no accidental elevation paths. - Ask the author/maintainer: request clarification about the registry's lack of declared env requirements, the large package-lock contents, and the unicode-control-chars finding. If you don't get satisfactory answers, avoid installing on production. If you want, I can: - Point out the exact files and lines that reference sensitive env names and external endpoints (WeChat endpoints, Odoo url) so you can review them more quickly. - Summarize the authorization logic from src/shared/authorization.ts to show exactly which actions are allowed for dynamic agents vs adminUsers.
- Findings
[unicode-control-chars] unexpected: Prompt-injection / unicode control characters were found inside SKILL.md frontmatter/content. This is not expected for a documentation/instructions file and may indicate an attempt to influence parsers or obfuscate content. Please request a cleaned version or explanation from the author.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match the code and SKILL.md: it is a WeChat (公众号) channel plugin that registers webhook routes, tools, and access-token handling. However the registry metadata claims 'Required env vars: none' while SKILL.md and code clearly expect per-account secrets (appId/appSecret/token/encodingAESKey and optional Odoo creds). That mismatch between declared requirements and actual configuration needs is incoherent and should be clarified by the author.
- Instruction Scope
- concernSKILL.md instructs users to run installation (/install or npm), edit ~/.openclaw/openclaw.json bindings, export environment variables (WECHAT_SERVICE_APP_SECRET, WECHAT_SERVICE_TOKEN, WECHAT_SERVICE_AES_KEY, ODOO_PASSWORD), and even run commands like 'curl ifconfig.me' to determine egress IP for WeChat IP whitelisting. Those instructions are plausible for a channel plugin, but they involve handling secrets and editing user config files. SKILL.md also contains a detected 'unicode-control-chars' prompt-injection signal — an attempt to manipulate parsing or display — which is suspicious in an instructions file.
- Install Mechanism
- noteNo install spec was provided in the registry summary, but SKILL.md and package.json show the intended install via npm (@huo15/wechat-service). The package.json dependencies are minimal (fast-xml-parser, undici) which is expected; however the included package-lock.json in the manifest contains many unrelated/large packages (Anthropic, AWS SDK/bedrock runtime, etc.), which is unexpected for this plugin and increases surface area. No downloads from private/personal URLs are present in the metadata shown.
- Credentials
- concernThe registry reports no required env vars, yet the docs and code expect multiple secrets (WeChat appSecret, token, encoding key) and optional Odoo credentials. Requiring Odoo username/password and suggesting local knowledge sync (localPath and Odoo endpoint) means this plugin will touch external services beyond WeChat. The SKILL.md recommends storing credentials in env vars but does not declare them in the registry metadata — a proportionality and transparency problem. Any installation will require sensitive credentials; the user should confirm minimal credential scoping and avoid reusing broad credentials.
- Persistence & Privilege
- okThe plugin is not marked 'always: true' and is user-invocable. It registers HTTP webhook routes (expected for a channel plugin) and registers tools with the agent runtime. That level of persistence and privilege is normal for a channel plugin. Note: because the plugin can be invoked autonomously (disable-model-invocation is false), if installed in a multi-agent environment it could be called by agents — combine this with the credential concerns above before enabling auto-invocation.