← Back to Skills Marketplace
wechat-ipad-api

通过微信控制openclaw

by wechatapi · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
259
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wechat-gateway
Description
在 OpenClaw 中提供 WeChat 回调接入、群私聊会话路由、消息发送与图片识别入口能力。
Usage Guidance
This package appears to do what it says: run a local FastAPI webhook that forwards WeChat messages to OpenClaw via the CLI. Before installing, consider: - Privacy: by default the code uses api.wechatapi.net as the WeChat API backend. Messages and images may be proxied through that third-party service. If you have sensitive data, either host your own WeChat API backend or confirm the third party's privacy/security policy. - Credentials: WX_API_TOKEN is required — treat it like any service token. Do not paste a privileged token into unknown code or public repos. - Public exposure: PUBLIC_URL must be reachable from the internet for callbacks. Exposing a public callback can accept inbound traffic; run behind TLS/reverse-proxy or on an isolated host if needed. - CLI execution: the gateway invokes the OpenClaw CLI per message (subprocess). Ensure OPENCLAW_BIN points to the intended binary and run in an environment where executing that binary is safe. An attacker replacing that binary could cause arbitrary code execution. - Storage: the skill writes config.ini, logs, and saved images locally. Monitor disk usage and clear stored images if they contain sensitive content. - Review & sandboxing: if you are not 100% comfortable, review the full main.py (it’s included) or run it in an isolated VM/container before production use. Verify/pin dependency versions when installing the required Python packages. If you want a higher-confidence assessment, provide the full (non-truncated) main.py content so I can scan for any hidden network endpoints, unusual subprocess calls, or data-exfiltration patterns.
Capability Analysis
Type: OpenClaw Skill Name: wechat-gateway Version: 1.0.0 The skill bundle provides a WeChat gateway for OpenClaw but contains a path traversal vulnerability in `main.py` within the `save_incoming_image_from_base64` function, where an unsanitized `msg_id` from an external API callback is used to construct local file paths. It also implements a weak 'magic phrase' authentication mechanism ('我是你的主人') that allows any user to add themselves to the administrative whitelist. While the code performs high-risk actions such as executing shell commands via `subprocess.run` and communicating with a third-party API (wechatapi.net), these appear to be functional requirements rather than intentional malice.
Capability Assessment
Purpose & Capability
The name/description (WeChat gateway for OpenClaw) match the actual artifacts: SKILL.md, README, and a single-file Python gateway (main.py). The required environment variables (WX_API_TOKEN and PUBLIC_URL) are appropriate for a webhook/gateway service. No unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions and code focus on receiving WeChat callbacks, parsing messages, constructing session IDs, calling the OpenClaw CLI, and returning results. This aligns with the stated purpose. Important privacy/behavior note: the default WX API base_url is a third-party host (http://api.wechatapi.net/finder/v2/api). By default the gateway will interact with that external service for WeChat API operations — user messages and images may be proxied through that service unless you change configuration or deploy a different backend.
Install Mechanism
This is an instruction-only skill with a bundled main.py; there is no install spec that downloads remote code. Dependencies are standard Python packages listed in README (fastapi, uvicorn, requests, pillow, qrcode). No unusual or opaque download URLs or extract/install steps are present in the manifest.
Credentials
Only WX_API_TOKEN (primary credential) and PUBLIC_URL are required, which are justified by the gateway's need to authenticate with a WeChat API service and advertise a callback URL. The code writes a local config.ini and logs/images to disk; those filesystem writes are consistent with the gateway function. No additional unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It writes a local config.ini, log files, and stores images under the skill directory (logs/, images/) — normal for a gateway service. It also invokes subprocesses to run the OpenClaw CLI; that is in-scope but means the gateway will execute a local binary (OPENCLAW_BIN configurable).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wechat-gateway
  3. After installation, invoke the skill by name or use /wechat-gateway
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
WeChat OpenClaw Gateway initial release. - Provides a runnable single-file WeChat gateway for OpenClaw, supporting message callbacks, session management, and message/image recognition. - Handles both group and private messages, including session_id construction, white-list management for private chats, and group trigger word filtering. - Includes concurrency features: parallel processing for different sessions, ordered processing within the same session. - Supplies essential configuration guidance and ready-to-use code examples for session and callback handling. - Ships with main gateway script (`main.py`) and documentation for deployment and ClawHub publishing.
Metadata
Slug wechat-gateway
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is 通过微信控制openclaw?

在 OpenClaw 中提供 WeChat 回调接入、群私聊会话路由、消息发送与图片识别入口能力。 It is an AI Agent Skill for Claude Code / OpenClaw, with 259 downloads so far.

How do I install 通过微信控制openclaw?

Run "/install wechat-gateway" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 通过微信控制openclaw free?

Yes, 通过微信控制openclaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 通过微信控制openclaw support?

通过微信控制openclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 通过微信控制openclaw?

It is built and maintained by wechatapi (@wechat-ipad-api); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments