Name: wecom-openclaw Security Report — Trusted | ClawSafe
Item: wecom-openclaw
Rating: 95
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

5 /100

wecom-openclaw

WeChat Work (企业微信) 与 OpenClaw 的集成适配器，通过Webhook接收消息、调用AI异步回复

标准的企业微信Webhook适配器，用于接收微信消息、调用OpenClaw AI并异步回复，无恶意行为，所有预扫描标记的base64操作均为标准加密流程。

Skill Namewecom-openclaw

Duration33.7s

Enginepi

ClawHub WeChat Work OpenClaw Adapter v1.0.0 by richagain

📥 481 📦 2

ClawHub Verdict Suspicious env_credential_accessllm_suspicious

✓

Safe to install

可直接使用。建议生产环境实施security-guide.md中推荐的加固措施（响应内容过滤、速率限制、消息去重）。

Findings 1 items

Severity	Finding	Location
Low	npm依赖未锁定patch版本 Supply Chain deploy.sh中dependencies使用^版本范围（如axios:^1.8.4），允许自动升级patch，可能引入意外变更 `"axios": "^1.8.4"` → 生产环境使用精确版本（axios:"1.8.4"）或~范围（axios:"~1.8.4"）	`scripts/deploy.sh:22`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/index.js:192 POST到qyapi.weixin.qq.com; scripts/index.js:260 GET gettoke…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/index.js:28 创建logsDir; scripts/index.js:34 追加日志文件
Environment	`READ`	`READ`	✓ Aligned	scripts/index.js:14 读取CORP_ID/AGENT_ID等8个变量
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/deploy.sh:1 部署脚本执行mkdir/cp/npm install

4 Critical 10 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(AGENT_SECRET + '=', 'base64'

scripts/index.js:94

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(echostr, 'base64'

scripts/index.js:97

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(encodingAESKey + '=', 'base64'

scripts/index.js:216

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(encryptedMsg, 'base64'

scripts/index.js:219

🔗

Medium External URL 外部 URL

https://work.weixin.qq.com

references/setup-guide.md:12

🔗

Medium External URL 外部 URL

https://your-tunnel.trycloudflare.com/webhook

references/setup-guide.md:20

🔗

Medium External URL 外部 URL

https://xxx.trycloudflare.com

references/setup-guide.md:56

🔗

Medium External URL 外部 URL

https://xxx.trycloudflare.com/webhook

references/setup-guide.md:67

🔗

Medium External URL 外部 URL

https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$

scripts/index.js:192

🔗

Medium External URL 外部 URL

https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=$

scripts/index.js:260

File Tree

5 files · 22.5 KB · 697 lines

Markdown 3f · 321L JavaScript 1f · 310L Shell 1f · 66L

├─ ▾ 📁 references

│ ├─ 📝 security-guide.md Markdown 98L · 2.5 KB

│ └─ 📝 setup-guide.md Markdown 100L · 2.9 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 deploy.sh Shell 66L · 1.7 KB

│ └─ 📜 index.js JavaScript 310L · 10.3 KB

└─ 📝 SKILL.md Markdown 123L · 5.1 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`express`	`^4.21.2`	npm	No	锁定主版本
`axios`	`^1.8.4`	npm	No	未锁定patch版本
`xml2js`	`^0.6.2`	npm	No	未锁定patch版本
`dotenv`	`^16.4.7`	npm	No	锁定主版本

Security Positives

✓ 所有预扫描标记的Buffer.from base64操作均为标准加密流程（WeCom API要求），无代码混淆

✓ msg_signature SHA1验证防止伪造消息（SKILL.md已声明）

✓ AES-256-CBC加密/解密为企业微信标准协议（SKILL.md已声明）

✓ 返回200立即应答+异步处理AI回复，避免超时，符合SKILL.md设计

✓ 无eval/dynamic code execution，无反分析技术

✓ 无凭证收割、环境变量遍历、敏感路径访问等恶意行为

✓ 提供完整security-guide.md，包含签名验证、AES加密、token缓存等安全建议

✓ Token缓存机制减少API调用暴露面

✓ package.json锁定主版本，生产依赖安全性可控

Scan Report

Findings 1 items

File Tree

Dependencies 4 items

Security Positives