Wechat Sendmedia

send images and files to a wechat conversation through openclaw's wechat channel. use when the user asks to send a local image, send a screenshot, send a dow...

This skill appears to do what it claims: build plain-text MEDIA:file:// tokens and optionally collect debug info. Key points to consider before installing or running it: - The normal send flow (emit_media_reply.py) only reads the file you tell it about and prints a reply payload; it does not contact external endpoints. - The optional debug script (weixin_debug_send.js) will read files under ~/.openclaw/openclaw-weixin/accounts (looks for *.context-tokens.json) to determine whether a recipient's context token exists. Those files can contain sensitive session/token data — run the debug step only if you trust the environment and reviewer. - There are no declared environment variables or external network endpoints in the bundled code; still review any debug output before sharing it externally because it may include upload_url, sendmessage_response, or file paths. - If you want stricter privacy, do not run the debug script or inspect/sanitize the debug JSON before sharing. If you need assurance, open and review the two script files locally before running the skill.

Type: OpenClaw Skill Name: wechat-sendmedia Version: 1.0.1 The skill contains a diagnostic script `scripts/weixin_debug_send.js` that accesses sensitive application data located in `~/.openclaw/openclaw-weixin/accounts` to verify the presence of WeChat context tokens. While the script is designed for troubleshooting media delivery failures, it possesses high-risk capabilities, such as probing for specific recipients within token files and reading arbitrary JSON files via the `debugPath` argument to extract specific fields. Although no evidence of intentional exfiltration or malicious intent was found, the ability to access and report on the status of sensitive session-related files is a significant security risk.