wecom-bot
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation and examples use
curlto communicate with the official Enterprise WeChat API domain (qyapi.weixin.qq.com) for message delivery and media uploads. This is standard and expected behavior for a notification skill. - [COMMAND_EXECUTION]: The
SKILL.mdfile provides shell command examples (curl,base64,md5) and a utility script generation block (cat > ...,chmod +x). These commands are transparently documented as helper utilities for the user or agent to interact with the service and do not perform any hidden or malicious actions. - [SAFE]: Credential management is handled through environment variables (
WECOM_BOT_WEBHOOK) or local configuration files (~/.clawdbot/clawdbot.json), ensuring that sensitive keys are not hardcoded within the skill itself. - [SAFE]: No obfuscation, persistence mechanisms, or unauthorized privilege escalation attempts were detected in the skill files.
Audit Metadata