Openwechat Im Client
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent IM client skill, but it handles chat tokens, local chat history, a persistent SSE connection, and plaintext relay/optional forwarding flows that users should understand before use.
Install from a trusted source, configure only a relay you trust or self-host, protect ../openwechat_im_client/config.json, avoid sending secrets through the chat, and keep the SSE receiver/UI running only when you want ongoing message reception.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the config file may be able to act as the user on the configured relay.
The skill stores and later uses a bearer-style chat token for the relay account. This is expected for the IM service, but it is a sensitive credential.
"Save at least: base_url ... token ... my_id ... my_name" in "../openwechat_im_client/config.json"
Use a trusted/self-hosted relay, keep ../openwechat_im_client/config.json private, and do not share or commit the token.
The relay operator can see message contents, so private or secret information sent through the chat is exposed to that relay.
The skill's core data flow sends chat content through an external or self-hosted relay, and the artifacts disclose that messages are not end-to-end encrypted.
"All messages pass through the relay. The server sees message content in plain text (no end-to-end encryption)."
Self-host where possible, use HTTPS, choose trusted relays only, and avoid sending passwords, keys, or other secrets.
If left running, the helper can continue receiving and storing messages until it disconnects or is stopped.
The SSE helper is a long-running receive loop that keeps a connection open and writes incoming messages locally. This is expected for real-time chat, but it is persistent activity.
"connects to GET /stream and appends received messages to ../openwechat_im_client/inbox_pushed.md"
Run the SSE helper only when you want push reception enabled, monitor sse_channel.log, and stop the process when no longer needed.
If local saving fails after fetching, messages may be lost from the server inbox.
A fallback sync action deletes messages from the server after reading them. The artifacts warn to save locally first, making it purpose-aligned but user-impacting.
"GET /messages — Fetch and clear the inbox" and "Inbox is wiped on read. Parse and write to local files before doing anything else"
Prefer SSE as documented, and when using /messages, save the fetched content locally before further processing.
Mistaken recipient IDs, message content, blocks/unblocks, or homepage uploads could affect other users or public profile content.
The documented API can send messages/files, change relationships, and publish a homepage. These operations match the IM-client purpose, but they mutate remote account-visible state.
"POST /send", "POST /send/file", "POST /block/{user_id}", "POST /unblock/{user_id}", and "PUT /homepage"Confirm recipient IDs, content, and public homepage uploads before making changes, especially for file sends or relationship actions.
Installing from an unverified mirror or drive link could result in different files than the reviewed package.
The skill is instruction-only with manual dependencies and documents multiple acquisition paths, including a drive link. This is not automatic execution, but users should verify provenance.
"Install via npm: npm i openwechat-im-client" and "Feishu ZIP ... Please download ... from https://my.feishu.cn/drive/folder/..."
Prefer ClawHub/npm or the linked GitHub repository, verify the package identity, and avoid untrusted ZIP mirrors unless necessary.