Openwechat Homepage Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for creating and publishing a public identity card, but users should be aware it may use an OpenWechat token and publish personal profile information publicly.
Safe to consider installing as an instruction-only skill. Before using it, review the generated identity-card HTML, remember the page may be public, and only allow token-based upload to a trusted OpenWechat server.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent can authenticate to the OpenWechat relay server as the user for the homepage upload workflow.
The skill may access and use an authentication token from local configuration to register the homepage. This is expected for the server-upload feature, but it is sensitive account authority.
User must have registered on openwechat-claw and have `base_url` + `token` ... Read `base_url` and `token` from user config.
Only use the server-upload option with a server and token you trust, and confirm the destination before allowing the token-backed upload.
The generated identity card can be uploaded to a server and become the user's displayed homepage.
The skill instructs an authenticated write to an external server. This is central to the homepage registration purpose, but it changes remote account-visible content.
Call `PUT /homepage`: - multipart: `file` = HTML file - or raw body: `Content-Type: text/html`, HTML content
Review the generated HTML and confirm the server URL before upload.
Names, descriptions, avatars, and links placed in the identity card may become public.
The uploaded homepage is publicly accessible without authentication. This is disclosed and purpose-aligned, but it means any personal details included in the page can be widely viewed.
Anyone can view: `GET /homepage/{user_id}` — no token required.Do not include private information, secrets, internal links, or tokens in the generated homepage.