← Back to Skills Marketplace
238
Downloads
1
Stars
0
Active Installs
9
Versions
Install in OpenClaw
/install wecom-deep-op
Description
基于微信官方插件 @wecom/wecom-openclaw-plugin v1.0.13+,封装的一站式企业微信自动化解决方案 - 你可以方便操作文档、日历、会议、待办、通讯录所有企业微信MCP能力,充分发挥OpenClaw与企业微信的协同能力。
Usage Guidance
This skill appears to implement a legitimate Enterprise WeChat (WeCom) MCP wrapper and needs the bot's uaKey (supplied by you) and local OpenClaw config to work — that is expected. However:
- Metadata mismatch: the registry metadata says no env vars/config paths are required, but SKILL.md/README require WECOM_*_BASE_URL environment variables or an mcporter.json entry (uaKey). Confirm the published skill.yml actually declares the env vars before installing.
- Audit before running anything that executes shell commands: the repo contains maintainer scripts (publish, build) that call execSync/grep/npm; do not run those unless you trust the source. They are not required for normal runtime but could be misused if executed.
- Inspect runtime code (src/index.ts / dist/) for any network calls beyond the user-configured WeCom endpoints (qyapi.weixin.qq.com). Confirm logging does not print full URLs or uaKey. The docs claim uaKey is never stored, but verify in code.
- Keep uaKey secret: treat it like a password. Configure it via env vars or mcporter.json with appropriate file permissions. Consider testing in a sandboxed environment or on a non-production account first.
- If you need higher assurance: request the published package (skill.yml and dist) from the maintainer or from Clawhub, verify skill.yml lists the env vars and inspect the bundled dist for unexpected outbound endpoints before installing.
Capability Analysis
Type: OpenClaw Skill
Name: wecom-deep-op
Version: 2.0.2
The wecom-deep-op skill is a comprehensive and well-documented wrapper for Enterprise WeChat (WeCom) MCP capabilities, including document, schedule, meeting, todo, and contact management. The source code (src/index.ts) unifies access to these services by proxying requests to official WeCom endpoints (qyapi.weixin.qq.com) using user-provided environment variables or configuration files. The bundle includes robust input validation,指数退避 (exponential backoff) retry logic, and extensive security documentation (SECURITY_AUDIT.md and README.md) that explicitly addresses credential safety and data flow boundaries. No evidence of malicious intent, unauthorized data exfiltration, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description, declared dependency on @wecom/wecom-openclaw-plugin and OpenClaw core, and the provided code (src/dist) all align with a WeCom MCP wrapper. The requested capabilities (doc, schedule, meeting, todo, contact) are appropriate for the stated purpose.
Instruction Scope
SKILL.md and the README instruct the agent/user to read and edit user config (~/.openclaw/workspace/config/mcporter.json) or set WECOM_*_BASE_URL environment variables and to call local CLI tools (wecom_mcp, mcporter, openclaw). Those actions are appropriate for this integration. Nothing in the instructions directs exfiltration to third‑party domains; however the skill expects access to user-managed uaKey credentials and reads local config files — which is expected but sensitive. Some documentation (publish scripts, publishing guides) contains shell/exec usage (execSync, grep) intended for maintainers; these scripts execute commands on the host if run and should be audited before use.
Install Mechanism
There is no install spec in registry metadata (instruction-only), but the package contains runnable code (src/, dist/). That is not necessarily malicious, but the mismatch is a concern: the registry metadata reported 'Required env vars: none' and 'Required config paths: none' while the SKILL.md and README clearly require environment variables or mcporter.json. Also the repo includes publish/build scripts that run shell commands (execSync) — expected for publishing but worth reviewing before executing locally.
Credentials
The skill legitimately needs the WeCom uaKey (via env vars or mcporter.json) to operate. That credential request is proportional to the stated functionality. The problem is the metadata advertised no required env vars/config paths, while the runtime docs require multiple WECOM_*_BASE_URL env vars or a mcporter.json entry. This inconsistency is material: installing under the assumption that 'no env vars are required' would be wrong. Verify skill.yml/package metadata in the published package to confirm declared env entries before installation.
Persistence & Privilege
always:false and autonomous invocation allowed (the platform default). The skill does not request permanent system-wide privileges or claim to modify other skills. It does instruct editing the user's OpenClaw config (expected for integration) but does not demand unusual system persistence.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wecom-deep-op - After installation, invoke the skill by name or use
/wecom-deep-op - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.2
wecom-deep-op v2.0.2
- Bump version to 2.0.2
- Update documentation in SKILL.md to match latest version and usage conventions
- Update metadata and config files (CHANGELOG.md, _meta.json, skill.yml) for version alignment and completeness
- Minor clarifications and consistency fixes across documentation
- No functional logic or interface changes in this release
v2.0.1
wecom-deep-op 2.0.1 更新日志
- 新增英文文档:加入 README.en.md、SKILL.en.md、QUICKSTART.en.md,提升国际化支持。
- 完善说明文档与元数据:更新 CHANGELOG.md、README.md、SKILL.md、skill.yml、_meta.json,内容更加规范和详尽。
- 提升文档结构:区分中英文文档,帮助不同用户更快上手和集成。
- 依赖和作者信息优化:修正/补充作者及依赖声明,便于社区贡献和维护。
v2.0.0
wecom-deep-op v2.0.0 is a major update providing a unified, production-ready solution for automating all major WeCom MCP features (documents, calendar, meetings, todos, contacts) with security-first design.
- Unified all WeCom MCP operations (docs, schedule, meetings, todos, contacts) into a single tool/skill interface.
- Added automatic preflight configuration checks to ensure proper authorization.
- Released extensive Chinese documentation with detailed setup, usage examples, and explanations of error handling and security.
- Enforced secure credential management practices (no tokens stored, user-managed configuration).
- Updated to depend on @wecom/wecom-openclaw-plugin v1.0.13+ and openclaw v0.5.0+.
- Provided guidance and workflow for Clawhub skill installation and publishing.
v1.0.1
- 首发版本,发布 wecom-deep-op v1.0.0,聚合企业微信文档、日程、会议、待办、通讯录所有MCP能力。
- 基于官方插件 @wecom/wecom-openclaw-plugin v1.0.13+ 实现,支持 OpenClaw v0.5.0+ 环境。
- 提供统一调用接口,简化五大MCP服务的操作入口。
- 内置前置检查(自动验证授权和配置),提升使用安全性和稳定性。
- 严格不存储任何敏感凭证,所有token需用户自行安全管理。
- 完善使用示例、错误处理、权限配置和开发发布指南。
v1.0.5
wecom-deep-op v1.0.5
- Documentation updates and minor maintenance changes.
- Added release notes for previous version (RELEASE_NOTES_v1.0.4.md).
- Updated version numbers in SKILL.md and package.json.
- Improved and clarified usage, publishing, and configuration instructions in documentation.
- No breaking changes to core functionality.
v1.0.4
wecom-deep-op v1.0.4
- Updated documentation, including SKILL.md, README.md, and CHANGELOG.md.
- Added RELEASE_NOTES_v1.0.3.md file.
- Bumped version number in configuration files.
- Minor clarifications and formatting improvements across doc files.
v1.0.3
wecom-deep-op 1.0.3 更新日志
- 版本号升级至 1.0.3
- 文档 SKILL.md 同步更新版本号,内容小幅微调(比如去除结尾省略号)
- 对元数据和依赖声明进行了修订,保持与实际 package.json/skill.yml 一致
- 其它核心功能未变,兼容原有用法
v1.0.2
- Initial public release of wecom-deep-op, a unified skill for automating all core WeCom MCP (企业微信) operations.
- Offers a single, simplified interface to access document, calendar, meeting, todo, and contact functions—no need to manage multiple separate plugins.
- Features built-in authorization checks (via wecom-preflight) and does not store or transmit any WeCom credentials.
- Provides comprehensive usage documentation and step-by-step setup instructions for secure enterprise deployment.
- Integrates with OpenClaw (v0.5.0+) and the official @wecom/wecom-openclaw-plugin (v1.0.13+).
- Includes code examples and clear error-handling practices for ease of use.
v1.0.0
wecom-deep-op 1.0.0 初始发布,实现企业微信操作能力统一聚合。
- 首次发布,封装文档、日历、会议、待办、通讯录等所有企业微信官方 MCP 能力
- 所有功能均通过统一 wecom_mcp 接口一站式调用,无需分别集成多种服务
- 内置前置检查,辅助用户完成授权配置
- 返回结构规范,提供标准错误处理与重试机制
- 详细文档覆盖安装、配置、安全建议、接口说明及常见问题
Metadata
Frequently Asked Questions
What is Wecom Deep Op?
基于微信官方插件 @wecom/wecom-openclaw-plugin v1.0.13+,封装的一站式企业微信自动化解决方案 - 你可以方便操作文档、日历、会议、待办、通讯录所有企业微信MCP能力,充分发挥OpenClaw与企业微信的协同能力。 It is an AI Agent Skill for Claude Code / OpenClaw, with 238 downloads so far.
How do I install Wecom Deep Op?
Run "/install wecom-deep-op" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wecom Deep Op free?
Yes, Wecom Deep Op is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Wecom Deep Op support?
Wecom Deep Op is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wecom Deep Op?
It is built and maintained by Bingbox (@bingbox); the current version is v2.0.2.
More Skills