← 返回 Skills 市场
WeCom Task Manager
作者
jhZheng222
· GitHub ↗
· v1.2.2
· MIT-0
107
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install wecom-task-manager
功能描述
Manage, track, and update enterprise WeCom tasks and goals with creation, progress, status reports, filtering, and dependency handling for authorized agents.
安全使用建议
This skill appears to implement what it claims (WeCom smart-sheet task management) but has implementation and metadata inconsistencies and at least one concrete security weakness:
- Inconsistency: The code requires mcporter (hardcoded path) and workspace MCP configuration, but the registry metadata lists no required binaries or credentials. Ask the publisher to declare mcporter as a required binary and to document where credentials are stored.
- Command injection risk: run_mcporter builds a shell command containing JSON args and calls subprocess.run(..., shell=True). If any task fields (titles, descriptions, output_url, etc.) come from untrusted sources, they could be crafted to break out of the JSON quoting and execute arbitrary shell commands. Before installing, request a fix to run mcporter using a safe argument list (avoid shell=True and pass args as a list) or to properly escape inputs.
- Workspace access & secrets: The skill changes cwd to ~/.openclaw/workspace and will rely on MCP configuration there; ensure sensitive credentials (WeCom API tokens/config) are stored securely and that you trust the skill's author. The config.json may contain docId/sheetId and potentially other secrets in your environment; don't install in environments with sensitive data until you confirm where credentials live.
- Auto-load/global: Because autoLoad/global is true, the skill will be loaded widely; only install if you trust the author or run it in an isolated environment first.
Actionable steps before using:
1) Ask the publisher for the authoritative source repository and for the declared runtime dependencies (mcporter path/version) and credential requirements.
2) Run the skill in an isolated test environment (no production secrets) and inspect mcporter calls to verify no unexpected side effects.
3) Patch run_mcporter to call subprocess.run with a list of args (no shell=True) or use a proper client API to avoid shell injection.
4) Ensure config.json does not contain secrets you wouldn't want the skill to access, and confirm where WeCom credentials are stored and who can read them.
If you cannot verify the author or cannot fix the subprocess usage, treat the skill as high-risk and do not install it in production systems.
能力评估
Purpose & Capability
The code and documentation implement a WeCom (企业微信) smart-sheet driven task manager and call a 'mcporter' tool (wecom-doc.* operations). That matches the stated purpose. However the skill metadata/registry declared no required binaries or env vars while the code hardcodes a local mcporter binary path (/usr/local/Cellar/node/25.6.0/bin/mcporter) and expects mcporter to exist; this is an inconsistency (the skill will fail or behave unexpectedly if mcporter is absent or placed elsewhere).
Instruction Scope
SKILL.md and the scripts instruct the agent to switch the working directory to ~/.openclaw/workspace and to call mcporter to read/update enterprise WeCom tables. The code reads local config.json and workspace files and relies on AGENT_ID from the environment if not passed in. This is within the task-manager scope but it also gives the skill access to the user's workspace and configuration files which are outside a minimal 'task API' surface — worth noting. Crucially, run_mcporter constructs a shell command with user-controlled JSON args and calls subprocess.run(..., shell=True) — this is a command-injection risk if input fields contain single quotes or crafted payloads.
Install Mechanism
There is no install spec (instruction-only), but full Python code and package.json are included. package.json and _meta.json mention a dependency on 'mcporter' while the registry's declared required binaries list is empty — inconsistent. The skill will implicitly require a functioning mcporter and appropriate MCP config in the user's workspace; that requirement is not surfaced in registry metadata.
Credentials
The skill declares no required env vars but the code reads AGENT_ID from the environment if agent_id is not supplied. config.json (copied from template) contains enterpriseWeChat.docId and sheetId which are sensitive configuration values needed to access the organization's smart sheet; these are not flagged as secrets in the registry. The code's reliance on mcporter and workspace MCP configuration means credentials for WeCom access will likely live in workspace configuration (outside the skill) — the skill requests effective access to those credentials implicitly without declaring them.
Persistence & Privilege
_meta.json and SKILL.md mark the skill as global and autoLoad=true (a global skill auto-loaded by the agent framework). While 'always' is false, autoLoad/global status means the skill will be present broadly. Combined with changing the current working directory to ~/.openclaw/workspace and using subprocesses, this broader presence increases the blast radius if the unsafe subprocess usage or misconfiguration is exploited.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wecom-task-manager - 安装完成后,直接呼叫该 Skill 的名称或使用
/wecom-task-manager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.2
docs: 更新联系方式为 jhZheng222 仓库
v1.2.1
fix: complete_task CLI bug + add P3 priority docs
元数据
常见问题
WeCom Task Manager 是什么?
Manage, track, and update enterprise WeCom tasks and goals with creation, progress, status reports, filtering, and dependency handling for authorized agents. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 107 次。
如何安装 WeCom Task Manager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wecom-task-manager」即可一键安装,无需额外配置。
WeCom Task Manager 是免费的吗?
是的,WeCom Task Manager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
WeCom Task Manager 支持哪些平台?
WeCom Task Manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 WeCom Task Manager?
由 jhZheng222(@jhzheng222)开发并维护,当前版本 v1.2.2。
推荐 Skills