Safety Report

qywx-notify

Name: qywx-notify
Author: yc-weichao

@yc-weichao

A skill for sending notifications via WeChat Work.

29Downloads

0Installs

0Stars

1Versions

Customer Support1,744 Notifications & Alerts1,061

Security Analysis

high confidence

Clean0.08 risk

The skill's code, instructions, and requirements match its stated purpose (sending WeCom/WeChat Work webhook notifications); nothing in the package appears to ask for unrelated credentials or contact unexpected endpoints, but review runtime logging and npm dependency practices before installing.

Mar 11, 20263 files2 concerns

Purpose & Capabilityok

Name/description (WeCom webhook notifications) align with the included files and behavior: index.js posts to a provided webhook URL and SKILL.md shows CLI and code usage. Dependencies (axios) are appropriate for HTTP calls.

Instruction Scopenote

SKILL.md instructions are in-scope (copy to ~/.openclaw/skills, run npm install, supply webhook URL). The code emits console logs of configuration and request payloads (it masks the webhook token path but still logs request data/content), which can expose message content or webhook tokens in local logs — consider this before using in environments where logs are collected.

Install Mechanismnote

No install spec in registry; SKILL.md asks the user to run npm install in the skill directory which will fetch axios from the public npm registry. This is expected for a Node skill but carries the usual npm supply-chain risks; the package.json lists only axios as a dependency.

Credentialsok

The skill requests no environment variables, credentials, or config paths. It only requires the webhook URL provided at runtime or via a configurable defaultWebhook — this is proportionate to the stated purpose.

Persistence & Privilegeok

Skill is not set to always:true and doesn't request elevated platform privileges. It stores its own configurable defaultWebhook in its config object according to SKILL.md; nothing indicates modification of other skills or global agent settings.

Guidance

This skill appears to do exactly what it says: POST messages to a WeCom webhook you supply. Before installing: (1) keep webhook URLs secret — anyone with the URL can post messages; (2) review or remove noisy console logging in index.js if you don't want message content or masked webhook paths appearing in agent logs; (3) run npm install in a controlled environment and consider auditing or pinning the axios dependency (supply-chain risk); (4) test with a throwaway webhook first to confirm behavior; and (5) if your system aggregates logs externally, ensure logs from this skill won't leak sensitive content. If you need higher assurance, review the full index.js file locally (it is short and readable) or run it in an isolated container.

Latest Release

v1.0.0

qywx-notify 1.0.0 initial release: - Send notifications to WeChat Work (WeCom) group chats via robot webhook. - Supports text, image (Markdown format), and rich Markdown messages. - Includes CLI and code-based invocation, with optional @all mention. - Features robust error handling, auto retry on failure, and common usage examples. - Provides integration guidance for Node.js and Python. - Details security best practices and troubleshooting steps.

Popular Skills

YC Cold Outreach

@yc · 6 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Published by @yc-weichao on ClawHub