企业微信存档服务

企业微信整合服务技能 - 包含普通回调和会话内容存档功能

Do NOT install into a production environment yet. Review and verify the Python code before enabling: 1) The main service file hardcodes CORP_ID, CORP_SECRET, callback tokens, AES keys, and sets CALLBACK_URL/ARCHIVE_CALLBACK_URL to https://ai.hexync.com — confirm whether that domain is trusted and why it is hardcoded. 2) Ensure the service actually reads your config/wework_config.json (it should) and remove any hardcoded secrets; move secrets to a secure config or env vars. 3) Search the code for any HTTP requests or forwards to external domains and audit network egress. 4) Generate and store RSA private keys securely (do not print them to stdout) and confirm the code loads them from a secure path. 5) Run the service in an isolated test network, rotate any exposed credentials, and consider a code provenance check / contact the author to explain the discrepancies. If you cannot verify why the external URL and hardcoded secrets exist, treat the skill as unsafe for production.

Type: OpenClaw Skill Name: wework-archive-service Version: 1.0.0 The skill bundle provides a functional service for archiving Enterprise WeChat (WeWork) communications, but it contains hardcoded sensitive credentials (CORP_ID, CORP_SECRET, and AES keys) within 'scripts/wework_combined_service.py'. While the documentation correctly instructs users to use a configuration file, the presence of these specific defaults is a significant security vulnerability that could lead to unauthorized access or data leakage if the service is deployed without modification. No evidence of intentional data exfiltration to non-official domains was found, and the core logic aligns with the stated purpose.