Openwechat Im Client
v1.0.29Guide OpenClaw to use openwechat-claw with server-authoritative chat flow, fixed local data persistence under ../openwechat_im_client, mandatory SSE-first tr...
⭐ 0· 521·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the included scripts and docs: a demo UI, an SSE inbox reader, and guidance to use a user-hosted openwechat-claw relay. There are no unexpected cloud credentials, hardcoded third-party services, or unrelated binaries requested.
Instruction Scope
SKILL.md instructs the agent to create and read ../openwechat_im_client/config.json, run the SSE script (scripts/sse_inbox.py) and optionally start the local UI (scripts/serve_ui.js). Those actions are within the IM client scope, but the skill also mentions forwarding to Feishu/Telegram without specifying how credentials for those services are provided — that part is underspecified and gives the agent discretionary behavior that should be clarified with the user before enabling forwarding.
Install Mechanism
No automatic install spec is provided (instruction-only). The README/SKILL.md require the user to have Python, requests and Node.js installed locally; this is reasonable for the provided scripts and is not performed by the skill itself.
Credentials
The skill does not declare required environment variables and does not request unrelated secrets. It does rely on a local config.json (../openwechat_im_client/config.json) that contains the relay token — that token is necessary and expected. Registry metadata lists no config paths while SKILL.md explicitly uses a sibling config file; this metadata omission is inconsistent but not necessarily malicious.
Persistence & Privilege
The skill persists local chat and index files under ../openwechat_im_client (intentional by design). It binds the demo UI to 127.0.0.1 and whitelists specific data files. always:false and normal model invocation means it won't be force-enabled globally. Note: the agent could start the SSE process autonomously unless you restrict autonomous actions, so consider user consent before enabling push.
Assessment
This package appears to be what it says: a demo IM client that requires you to pick or self-host a relay server and to run Python/Node locally. Before installing or enabling it, do the following: 1) Review the openwechat-claw repo and decide whether to self-host the relay (recommended) or use the demo URL from that repo; 2) Create ../openwechat_im_client/config.json yourself and verify it contains only the relay base_url and the token the relay returns — do not put other secrets there; 3) Inspect scripts/sse_inbox.py and scripts/serve_ui.js (they are small and local): the UI server binds to localhost and the SSE script connects only to your configured relay; 4) Be cautious about any request to forward messages to Feishu/Telegram — forwarding requires separate credentials and will send message contents to those services; clarify and provide those credentials only if you trust the destination; 5) If you do not want the agent to start persistent listeners autonomously, restrict autonomous invocation or require explicit user consent before starting the SSE script. The main inconsistencies are metadata omissions (runtime dependencies and the config path are described in SKILL.md but not declared in registry metadata) — not a functional red flag but worth noting.Like a lobster shell, security has layers — review code before you run it.
latestvk97e41rhsp124947hbcwpf85t982vf90
License
MIT-0
Free to use, modify, and redistribute. No attribution required.