🤖 Webhook Robot — Webhook 机器人
v1.1.0Webhook 机器人工具。
0· 971·4 当前·4 累计
by 安全扫描
OpenClaw
安全
high confidenceThe skill's code and instructions match its stated purpose (sending webhook messages) and don't request unrelated privileges, though there are a few small inconsistencies and operational risks to be aware of.
评估建议
This skill appears to do what it says (send webhook messages). Before installing or using it: (1) review the scripts yourself (they are bundled and readable). (2) Avoid passing secret tokens on long-lived command lines—prefer secure config files or protected env vars if you adapt the scripts. (3) Be cautious about allowing autonomous/unsupervised use: the scripts accept arbitrary URLs, so an untrusted prompt could cause the agent to send requests to internal network endpoints. (4) Note the SKILL...详细分析 ▾
ℹ 用途与能力
The package contains Python scripts to send messages to many webhook services (WeCom, DingTalk, Feishu, Bark, Telegram, PushDeer, ServerChan, GoCqHttp, Gotify), which is coherent with the skill name and README. SKILL.md's brief usage section only shows WeCom and says 'currently supports WeCom' (and references a not-yet-implemented config.json) — this is a documentation mismatch but not an outright capability/credential incoherence. Required binary (python3) is appropriate.
ℹ 指令范围
Runtime instructions simply call the included scripts with user-supplied tokens/URLs. The scripts do network calls only to webhook endpoints (or whatever URL the user supplies). They do not read unrelated files or environment variables. Two operational notes: (1) many scripts accept arbitrary full URLs — if an attacker can supply URLs or cause the agent to run these scripts, they could be used to reach internal network endpoints (SSRF/probing). (2) SKILL.md mentions storing defaults in config.json 'to be implemented', so expected config behavior is incomplete.
✓ 安装机制
There is no install script/spec and no remote downloads — this is instruction-only with bundled Python scripts. No archive downloads or package installs are requested, so install-surface risk is low.
ℹ 凭证需求
The skill declares no required environment variables or credentials, and scripts accept service tokens/keys as command-line arguments (which is proportionate). Warning: passing secrets on command lines can expose them via process lists or shell history. The skill does not request unrelated credentials or config paths.
✓ 持久化与权限
The skill does not request always:true or other elevated persistence, and does not attempt to modify other skills or system-wide config. Model invocation is enabled (default), which is normal for skills; combine this with the note about arbitrary URLs if you plan to allow autonomous use.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/13
- Added support for new webhook platforms: Bark, Go-cqhttp, Gotify, PushDeer, ServerChan, and Telegram. - Introduced dedicated Python scripts for sending messages to each of the newly supported platforms. - Updated documentation and metadata to reflect expanded messaging capabilities.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install webhook-robot
镜像加速npx clawhub@latest install webhook-robot --registry https://cn.clawhub-mirror.com
技能文档
A universal skill to send messages to webhook-based chat bots. Currently supports WeCom (企业微信).
Usage
WeCom (企业微信)
Send a text message to a WeCom group bot.
# Basic usage (requires configuring webhook url or passing it)
scripts/send_wecom.py --key --content "Hello from OpenClaw!"# Or full webhook url
scripts/send_wecom.py --url "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=..." --content "Hello!"
Configuration
You can store your default webhook keys/URLs in config.json (to be implemented) or pass them as arguments.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制