← Back to Skills Marketplace
richagain

WeChat Work OpenClaw Adapter

by richagain · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
632
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install wecom-openclaw
Description
Integrate WeChat Work (Enterprise WeChat) with OpenClaw for intelligent messaging. Enables receiving messages from WeChat Work, processing them with Claude A...
Usage Guidance
This adapter largely does what it claims (WeChat Work ↔ OpenClaw) but there are a few red flags you should consider before installing: - The registry metadata incorrectly states 'no required env vars' while the code requires multiple sensitive secrets (CORP_ID, AGENT_ID, AGENT_SECRET, APP_SECRET, WEBHOOK_TOKEN, OPENCLAW_TOKEN). Treat this as an inconsistency and verify the source/trustworthiness of the package before supplying credentials. - Inspect and (if you plan to run it) modify the code to ensure it does not log sensitive fields. The GET /webhook handler currently logs echostr and signatures; remove or sanitize such logs. - The security guide suggests filtering AI replies, but the runtime does not apply a filter before sending replies. Add filtering (or validate replies) to avoid accidental disclosure of secrets in responses. - getAccessToken falls back to AGENT_SECRET if APP_SECRET is missing — that is suspicious/incorrect behavior; ensure you set APP_SECRET correctly and consider changing the code to fail instead of using the wrong key. - The deploy instructions use cloudflared quick tunnels for convenience — do not use quick tunnels in production; prefer a stable named tunnel or proper hosting and add your server IP to WeChat Work’s trusted list as required. - Run this adapter in an isolated environment (dedicated user, limited network egress, local firewall rules), avoid exposing OpenClaw/API tokens broadly, and rotate credentials after testing. If you don't trust the publisher or cannot audit the code yourself, do not install or provide any production credentials. If you proceed, apply the logging sanitization and reply-filtering changes, and verify APP_SECRET behavior before putting it into production.
Capability Analysis
Type: OpenClaw Skill Name: wecom-openclaw Version: 1.0.0 The skill bundle provides a legitimate integration between WeChat Work (Enterprise WeChat) and OpenClaw. The core logic in `scripts/index.js` correctly implements WeChat's mandatory AES-256-CBC encryption/decryption and SHA1 signature verification protocols. The deployment script (`scripts/deploy.sh`) and documentation (`SKILL.md`, `security-guide.md`) are transparent, follow best practices for webhook handling (such as async replies to avoid timeouts), and contain no evidence of data exfiltration, unauthorized execution, or prompt injection attacks.
Capability Assessment
Purpose & Capability
The skill's code, SKILL.md, and scripts all implement a WeChat Work adapter that calls OpenClaw and therefore legitimately requires WeChat credentials and an OpenClaw token. However the registry metadata claims 'no required env vars' while the SKILL.md and scripts require CORP_ID, AGENT_ID, AGENT_SECRET, APP_SECRET, WEBHOOK_TOKEN and OPENCLAW_TOKEN. That metadata mismatch is an incoherence that could mislead users about sensitive requirements.
Instruction Scope
SKILL.md gives concrete, appropriate runtime instructions (deploy, edit .env, run, expose tunnel). The code follows that workflow. Concerns: the code logs the GET echostr and signature values (which may include sensitive encrypted payload), the security-guide recommends content filtering and log sanitization but the runtime path does not apply the suggested filterSensitiveContent function to AI replies, and getAccessToken falls back to AGENT_SECRET if APP_SECRET is missing (mixing encryption key and app secret). These gaps increase risk of accidental leakage or misconfiguration.
Install Mechanism
No remote download/install from untrusted URLs. The provided deploy.sh copies files to a user directory and runs 'npm install', which pulls normal npm dependencies. This is standard for a Node.js adapter and does not in itself indicate an elevated supply-chain risk beyond typical npm dependencies.
Credentials
The environment variables the code requires (WeChat CorpID/AgentID/EncodingAESKey/AppSecret/Webhook token and OPENCLAW_TOKEN) are appropriate for the adapter's function. However the registry metadata lists none required (incoherent). Also the code writes logs that may contain sensitive values and the OpenClaw token is sent as a Bearer header — make sure that token is scoped and rotated. The fallback to use AGENT_SECRET in getAccessToken is unexpected and could reveal misuse of keys.
Persistence & Privilege
The skill does not request elevated platform privileges or 'always' inclusion. It installs files under a user directory, creates a logs folder, and runs as a normal user service. That level of persistence and privilege is expected for this adapter.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wecom-openclaw
  3. After installation, invoke the skill by name or use /wecom-openclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with all battle-tested fixes: msg_signature verification, AES-256-CBC decryption, async reply pattern, IP whitelist handling
Metadata
Slug wecom-openclaw
Version 1.0.0
License MIT-0
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is WeChat Work OpenClaw Adapter?

Integrate WeChat Work (Enterprise WeChat) with OpenClaw for intelligent messaging. Enables receiving messages from WeChat Work, processing them with Claude A... It is an AI Agent Skill for Claude Code / OpenClaw, with 632 downloads so far.

How do I install WeChat Work OpenClaw Adapter?

Run "/install wecom-openclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WeChat Work OpenClaw Adapter free?

Yes, WeChat Work OpenClaw Adapter is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does WeChat Work OpenClaw Adapter support?

WeChat Work OpenClaw Adapter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WeChat Work OpenClaw Adapter?

It is built and maintained by richagain (@richagain); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments