← 返回 Skills 市场
259
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wechat-gateway
功能描述
在 OpenClaw 中提供 WeChat 回调接入、群私聊会话路由、消息发送与图片识别入口能力。
安全使用建议
This package appears to do what it says: run a local FastAPI webhook that forwards WeChat messages to OpenClaw via the CLI. Before installing, consider:
- Privacy: by default the code uses api.wechatapi.net as the WeChat API backend. Messages and images may be proxied through that third-party service. If you have sensitive data, either host your own WeChat API backend or confirm the third party's privacy/security policy.
- Credentials: WX_API_TOKEN is required — treat it like any service token. Do not paste a privileged token into unknown code or public repos.
- Public exposure: PUBLIC_URL must be reachable from the internet for callbacks. Exposing a public callback can accept inbound traffic; run behind TLS/reverse-proxy or on an isolated host if needed.
- CLI execution: the gateway invokes the OpenClaw CLI per message (subprocess). Ensure OPENCLAW_BIN points to the intended binary and run in an environment where executing that binary is safe. An attacker replacing that binary could cause arbitrary code execution.
- Storage: the skill writes config.ini, logs, and saved images locally. Monitor disk usage and clear stored images if they contain sensitive content.
- Review & sandboxing: if you are not 100% comfortable, review the full main.py (it’s included) or run it in an isolated VM/container before production use. Verify/pin dependency versions when installing the required Python packages.
If you want a higher-confidence assessment, provide the full (non-truncated) main.py content so I can scan for any hidden network endpoints, unusual subprocess calls, or data-exfiltration patterns.
功能分析
Type: OpenClaw Skill
Name: wechat-gateway
Version: 1.0.0
The skill bundle provides a WeChat gateway for OpenClaw but contains a path traversal vulnerability in `main.py` within the `save_incoming_image_from_base64` function, where an unsanitized `msg_id` from an external API callback is used to construct local file paths. It also implements a weak 'magic phrase' authentication mechanism ('我是你的主人') that allows any user to add themselves to the administrative whitelist. While the code performs high-risk actions such as executing shell commands via `subprocess.run` and communicating with a third-party API (wechatapi.net), these appear to be functional requirements rather than intentional malice.
能力评估
Purpose & Capability
The name/description (WeChat gateway for OpenClaw) match the actual artifacts: SKILL.md, README, and a single-file Python gateway (main.py). The required environment variables (WX_API_TOKEN and PUBLIC_URL) are appropriate for a webhook/gateway service. No unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions and code focus on receiving WeChat callbacks, parsing messages, constructing session IDs, calling the OpenClaw CLI, and returning results. This aligns with the stated purpose. Important privacy/behavior note: the default WX API base_url is a third-party host (http://api.wechatapi.net/finder/v2/api). By default the gateway will interact with that external service for WeChat API operations — user messages and images may be proxied through that service unless you change configuration or deploy a different backend.
Install Mechanism
This is an instruction-only skill with a bundled main.py; there is no install spec that downloads remote code. Dependencies are standard Python packages listed in README (fastapi, uvicorn, requests, pillow, qrcode). No unusual or opaque download URLs or extract/install steps are present in the manifest.
Credentials
Only WX_API_TOKEN (primary credential) and PUBLIC_URL are required, which are justified by the gateway's need to authenticate with a WeChat API service and advertise a callback URL. The code writes a local config.ini and logs/images to disk; those filesystem writes are consistent with the gateway function. No additional unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It writes a local config.ini, log files, and stores images under the skill directory (logs/, images/) — normal for a gateway service. It also invokes subprocesses to run the OpenClaw CLI; that is in-scope but means the gateway will execute a local binary (OPENCLAW_BIN configurable).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wechat-gateway - 安装完成后,直接呼叫该 Skill 的名称或使用
/wechat-gateway触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
WeChat OpenClaw Gateway initial release.
- Provides a runnable single-file WeChat gateway for OpenClaw, supporting message callbacks, session management, and message/image recognition.
- Handles both group and private messages, including session_id construction, white-list management for private chats, and group trigger word filtering.
- Includes concurrency features: parallel processing for different sessions, ordered processing within the same session.
- Supplies essential configuration guidance and ready-to-use code examples for session and callback handling.
- Ships with main gateway script (`main.py`) and documentation for deployment and ClawHub publishing.
元数据
常见问题
通过微信控制openclaw 是什么?
在 OpenClaw 中提供 WeChat 回调接入、群私聊会话路由、消息发送与图片识别入口能力。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 259 次。
如何安装 通过微信控制openclaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wechat-gateway」即可一键安装,无需额外配置。
通过微信控制openclaw 是免费的吗?
是的,通过微信控制openclaw 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
通过微信控制openclaw 支持哪些平台?
通过微信控制openclaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 通过微信控制openclaw?
由 wechatapi(@wechat-ipad-api)开发并维护,当前版本 v1.0.0。
推荐 Skills