Skillv2.8.8

ClawScan security

Huo15 Wecom Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement a WeCom (enterprise WeChat) OpenClaw channel and the code largely matches the README, but there are inconsistencies between the registry metadata, the SKILL.md instructions, and the on-disk package (including a prompt-injection signal in SKILL.md) that merit caution before installing in production.
Guidance: What to consider before installing: - The plugin codebase (many TypeScript files, package.json, tests, changelogs) matches the claimed functionality, but the registry metadata incorrectly labels it 'instruction-only' and lists no install spec or config paths — confirm the canonical install source (npm package name and publisher) and whether OpenClaw will build/run the included code or just the registry pointer. - SKILL.md and README instruct you to put sensitive WeCom credentials (corpId/agentSecret, Bot WS secret, etc.) into your OpenClaw configuration. Only provide those secrets after you verify the package origin (npm owner, GitHub repo, signed release) and review the source files that will be executed. - A prompt-injection pattern (unicode-control-chars) was found in SKILL.md. Ask the maintainer to explain or remove any hidden/zero-width characters before trusting the docs/evaluation results. - Recommended precautions: - Install into an isolated/staging OpenClaw instance first, not production. - Verify package integrity: check npm publisher, compare contents with the GitHub mirror (https://github.com/zhaobod1/huo15-wecom-plugin) and upstream (yanhaidao/wecom). Prefer installing from an official registry mirror you trust. - Review package.json, build scripts and any postinstall hooks for network calls or shell execution before running. - Limit plugin credentials to least privilege (e.g., separate corpSecret for kefu vs agent as documented), and rotate secrets if you test the plugin. - Monitor outbound network activity and application logs after deployment; test sending and receiving in non-sensitive accounts first. What would raise confidence: explicit install spec in registry metadata referencing a well-known registry/release (npm org or GitHub release), a signed release or reproducible build, the maintainer's verified identity, and removal/explanation of the unicode-control characters found in SKILL.md.
Findings: [unicode-control-chars] unexpected: Prompt-injection pattern detected inside SKILL.md. The rest of the SKILL.md appears to be technical documentation, but control/unicode injection characters can be used to manipulate downstream evaluation or parsing; the presence is unexpected and should be inspected and removed or explained by the author.

Review Dimensions

Purpose & Capability: noteThe name, description, README and the large TypeScript codebase are coherent: this is an OpenClaw WeCom channel plugin providing Bot WS / Agent / Kefu paths, media decryption, document/calendar tools, and upstream (cross-corp) support. However the registry metadata claims 'No install spec' / 'instruction-only' and 'no required env vars' while the SKILL.md and README clearly instruct users to install the npm package and to add WeCom credentials into ~/.openclaw/openclaw.json (CorpId/AgentSecret/etc). That mismatch between declared metadata and actual package content/config needs clarification.
Instruction Scope: concernSKILL.md instructs installation via 'openclaw plugins install @huo15/wecom' or 'npm install @huo15/wecom' and shows explicit configuration examples that require provisioning sensitive WeCom credentials into OpenClaw config files. SKILL.md references a local config path (~/.openclaw/openclaw.json) but registry metadata lists no required config paths. Pre-scan found 'unicode-control-chars' in SKILL.md (prompt-injection pattern). The instructions do not instruct arbitrary file reads, but the mismatch about required config location and the presence of injection-character patterns are concerning and should be resolved before trusting the plugin.
Install Mechanism: noteThere is no registry install spec included in the metadata even though the package contains package.json and a full codebase (223 files, TypeScript sources, tests, changelog). The SKILL.md recommends installing via OpenClaw's plugin system or npm. Installing via npm is a standard mechanism; there are no evidence strings of remote arbitrary downloads in the provided files. Still, the registry entry's 'instruction-only' label despite bundled source is an inconsistency to confirm (where will the platform run/build the code and from which origin will users fetch it?).
Credentials: okThe registry declares no required environment variables; the plugin expects WeCom credentials to be configured in OpenClaw's channel config (openclaw.json) rather than as environment variables. The set of credentials and APIs the code uses (WeCom Agent/Corp APIs, corpgroup upstream token flow) is proportional to the plugin's stated purpose. No unrelated cloud credentials or broad environment secrets are requested by the package metadata.
Persistence & Privilege: noteThe skill does not request 'always: true' and uses normal autonomous invocation defaults. Because it is a messaging channel plugin that can send messages and access enterprise data, it inherently can exfiltrate information if misused. This is expected for a channel plugin, but combined with the metadata vs. code inconsistencies and prompt-injection signal it raises additional reason to review source and run in a restricted environment first.