← Back to Skills Marketplace
1081
Downloads
0
Stars
4
Active Installs
3
Versions
Install in OpenClaw
/install webhook-robot
Description
Send messages to various webhook-based bots (WeCom, DingTalk, Feishu, etc.).
Usage Guidance
This skill appears to do what it says (send webhook messages). Before installing or using it: (1) review the scripts yourself (they are bundled and readable). (2) Avoid passing secret tokens on long-lived command lines—prefer secure config files or protected env vars if you adapt the scripts. (3) Be cautious about allowing autonomous/unsupervised use: the scripts accept arbitrary URLs, so an untrusted prompt could cause the agent to send requests to internal network endpoints. (4) Note the SKILL.md mentions a not-yet-implemented config.json; expect to supply keys/tokens via CLI until you implement safer storage. If you plan to use this in production, run it in a network-isolated environment and rotate tokens used for testing.
Capability Analysis
Type: OpenClaw Skill
Name: webhook-robot
Version: 1.1.0
The skill bundle is designed to send messages to various webhook-based services. While the core functionality is benign, the `scripts/send_gocqhttp.py` script allows specifying an arbitrary URL (`--url`) for the GoCqHttp API. This capability, while necessary for its stated purpose, introduces a potential Server-Side Request Forgery (SSRF) vulnerability if the agent's input is not adequately sanitized, allowing an attacker to direct the agent to make requests to internal network resources or other arbitrary external hosts. This is a risky capability without clear malicious intent within the script itself, thus classifying it as suspicious rather than malicious.
Capability Assessment
Purpose & Capability
The package contains Python scripts to send messages to many webhook services (WeCom, DingTalk, Feishu, Bark, Telegram, PushDeer, ServerChan, GoCqHttp, Gotify), which is coherent with the skill name and README. SKILL.md's brief usage section only shows WeCom and says 'currently supports WeCom' (and references a not-yet-implemented config.json) — this is a documentation mismatch but not an outright capability/credential incoherence. Required binary (python3) is appropriate.
Instruction Scope
Runtime instructions simply call the included scripts with user-supplied tokens/URLs. The scripts do network calls only to webhook endpoints (or whatever URL the user supplies). They do not read unrelated files or environment variables. Two operational notes: (1) many scripts accept arbitrary full URLs — if an attacker can supply URLs or cause the agent to run these scripts, they could be used to reach internal network endpoints (SSRF/probing). (2) SKILL.md mentions storing defaults in config.json 'to be implemented', so expected config behavior is incomplete.
Install Mechanism
There is no install script/spec and no remote downloads — this is instruction-only with bundled Python scripts. No archive downloads or package installs are requested, so install-surface risk is low.
Credentials
The skill declares no required environment variables or credentials, and scripts accept service tokens/keys as command-line arguments (which is proportionate). Warning: passing secrets on command lines can expose them via process lists or shell history. The skill does not request unrelated credentials or config paths.
Persistence & Privilege
The skill does not request always:true or other elevated persistence, and does not attempt to modify other skills or system-wide config. Model invocation is enabled (default), which is normal for skills; combine this with the note about arbitrary URLs if you plan to allow autonomous use.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install webhook-robot - After installation, invoke the skill by name or use
/webhook-robot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
- Added support for new webhook platforms: Bark, Go-cqhttp, Gotify, PushDeer, ServerChan, and Telegram.
- Introduced dedicated Python scripts for sending messages to each of the newly supported platforms.
- Updated documentation and metadata to reflect expanded messaging capabilities.
v1.0.1
- Updated package.json (details not shown).
- No changes to usage or documentation in SKILL.md.
v1.0.0
Initial release of webhook-robot.
- Send messages to various webhook-based bots.
- Current support for WeCom (企业微信) group bots.
- Allows sending text messages via script with webhook key or URL.
- Planned support for configuration via config.json.
Metadata
Frequently Asked Questions
What is Webhook Robot?
Send messages to various webhook-based bots (WeCom, DingTalk, Feishu, etc.). It is an AI Agent Skill for Claude Code / OpenClaw, with 1081 downloads so far.
How do I install Webhook Robot?
Run "/install webhook-robot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Webhook Robot free?
Yes, Webhook Robot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Webhook Robot support?
Webhook Robot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Webhook Robot?
It is built and maintained by takedwind (@takedwind); the current version is v1.1.0.
More Skills