Huo15 Wecom Plugin
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real WeCom integration, but it gives agents broad power to change company documents, calendars, permissions, and messaging, so it needs careful review before use.
Install only if you intend to let OpenClaw act inside your WeCom environment. Enable the minimum needed tools, use least-privilege WeCom app permissions, require confirmation for deletes/permission changes/broadcast-like actions, and verify the package identity before installation.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these tools are enabled, an agent mistake or prompt-injected WeCom conversation could alter, delete, or expose company documents.
The documented WeCom document tools can delete business documents/forms and bulk change access permissions. The provided artifacts do not show a confirmation, dry-run, allowlist, or approval requirement for these high-impact mutations.
"本清单列出所有企业微信文档相关的 MCP Tools" ... "action": "delete", "description": "删除文档或收集表" ... "action": "grant_access", "description": "批量授予或撤销文档访问权限"
Require explicit user approval for delete, permission, external-share, and bulk document actions; restrict document spaces and user IDs; and keep audit logs.
A wrong tool call could remove shared calendars, change events, or invite many employees unexpectedly.
The calendar tools can delete calendars and create or update large-scope schedules. The artifacts do not show user-confirmation thresholds for disruptive calendar operations.
"本清单列出所有企业微信日历相关的 MCP Tools" ... "action": "calendar_delete", "description": "删除指定日历" ... "attendees": "可选:object[],日程参与者列表,最多 1000 人"
Add approval prompts for calendar deletion, attendee changes, public/all-company calendars, and large attendee lists; use least-privilege calendar permissions.
Anyone who obtains these secrets may be able to send messages or access WeCom APIs within the configured permission scope.
The plugin requires sensitive WeCom application secrets, callback tokens, and encryption keys. This is expected for WeCom integration, but users should treat it as privileged account access.
"agentSecret": "<PRIMARY_AGENT_SECRET>", "token": "<PRIMARY_CALLBACK_TOKEN>", "encodingAESKey": "<PRIMARY_ENCODING_AES_KEY>"
Store secrets in a credential manager or protected OpenClaw config, separate Bot/Agent/Kefu credentials, grant only required WeCom permissions, and rotate secrets periodically.
A misconfiguration could send business messages to the wrong WeCom account, corporation, or user.
The plugin routes messages across account, corporation, and upstream/downstream enterprise boundaries. That is purpose-aligned, but it depends on correct target resolution and credential separation.
回复时使用 `wecom-agent-upstream:{accountId}:{corpId}:{userId}` 格式的 target ... 使用对应的上下游 Agent 配置发送消息Use explicit account/corp allowlists, test routing in a non-production tenant, and monitor audit logs for cross-enterprise delivery.
A user following the wrong install command could install a different package than the one being reviewed.
The README install command references an older/different package name, while the evaluated skill and registry identify the package as Huo15/@huo15/wecom. This looks like stale documentation rather than malicious behavior, but it is a provenance ambiguity.
openclaw plugins install @yanhaidao/wecom
Verify the package name, registry entry, homepage, and version before installing; prefer the registry-approved @huo15/wecom package if that is the intended plugin.
Once configured, the plugin may continue receiving WeCom messages and invoking agents until the channel or account is disabled.
The plugin maintains an active WeCom Bot WebSocket flow and automatically reconnects. This persistence is disclosed and expected for a chat channel, but users should know it keeps operating in the background.
启动后,Bot 收到的消息会自动路由到默认 Agent ... ack timeout watchdog 自动重连
Enable only intended accounts, disable unused transports, and review runtime/audit logs for unexpected activity.