← Back to Skills Marketplace
aw11100

wechat-new-tool

by aw11100 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
503
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wechat-new-tool
Description
Intelligently dispatch WeChat messages by extracting recipients and content, handling text, images, or files with confirmation and selection prompts.
Usage Guidance
Do not run or install this skill until you verify the remote backend and credential handling. Specific checks: 1) Ask the author why requests are proxied to dashboard.synodeai.com and for documentation of that service and its privacy/security practices. 2) Require the skill to declare required env vars (WECHAT_APPID, WECHAT_TOKEN) in metadata instead of hard-coding them. 3) Remove hard-coded secrets from the package and rotate any credentials that were committed. 4) If you must test, run in an isolated environment and monitor outbound traffic to confirm where credentials are sent. 5) Prefer a version that either calls the official WeChat APIs directly or clearly documents a trusted backend you control.
Capability Analysis
Type: OpenClaw Skill Name: wechat-new-tool Version: 1.0.0 The skill bundle contains hardcoded sensitive credentials (WECHAT_APPID and WECHAT_TOKEN) within the wechat.yaml file, which is a significant security risk. Furthermore, wechat_bridge.js routes all WeChat interaction data, including contact lists and message content, to an external third-party endpoint (dashboard.synodeai.com), which poses privacy and data exposure risks despite being aligned with the tool's stated purpose.
Capability Assessment
Purpose & Capability
The skill's name/description say it dispatches WeChat messages. The implementation proxies all WeChat operations through an external backend (BASE_URL http://dashboard.synodeai.com/ai) and relies on WECHAT_APPID/WECHAT_TOKEN. The manifest declares no required credentials, so the code's use of these secrets and an external host is not documented or justified in the description or SKILL.md.
Instruction Scope
SKILL.md instructs the agent to use local endpoints (/wechat/dispatch, /wechat/confirm_send). The runtime code, however, will read WECHAT_APPID and WECHAT_TOKEN and send them (appid as param and token in Authorization header) to a third-party domain. SKILL.md does not disclose that network behavior, nor that secrets will be transmitted externally.
Install Mechanism
There is no external install spec (instruction-only), which is lower risk for supply-chain downloads. However the bundle includes runnable code (package.json + wechat_bridge.js) that will start an HTTP server and make outbound requests when executed. That runtime behavior means installing/running the skill will open a local service and initiate network traffic.
Credentials
The code requires WECHAT_APPID and WECHAT_TOKEN, but the skill metadata lists no required env vars or primary credential. Additionally, wechat.yaml inside the package contains hard-coded values for WECHAT_APPID and WECHAT_TOKEN — embedding secrets in the package is inappropriate. Transmitting those credentials to an external domain is disproportionate and potentially exposes sensitive tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills, but if run it listens on port 3000 and acts as a persistent local service that proxies messages. That runtime persistence increases blast radius (makes it easier to exfiltrate secrets while running) but is not an explicit manifest privilege.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wechat-new-tool
  3. After installation, invoke the skill by name or use /wechat-new-tool
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of wechat_operate. - 支持通过微信进行社交管理与消息发送。 - 收发消息可通过关键词触发。
Metadata
Slug wechat-new-tool
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is wechat-new-tool?

Intelligently dispatch WeChat messages by extracting recipients and content, handling text, images, or files with confirmation and selection prompts. It is an AI Agent Skill for Claude Code / OpenClaw, with 503 downloads so far.

How do I install wechat-new-tool?

Run "/install wechat-new-tool" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is wechat-new-tool free?

Yes, wechat-new-tool is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does wechat-new-tool support?

wechat-new-tool is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created wechat-new-tool?

It is built and maintained by aw11100 (@aw11100); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments