wecom-bot-mcp-server
Verified Safeby loonghao
Overview
Integrates AI assistants with WeCom (WeChat Work) for automated messaging and file/image sharing.
Installation
uvx wecom-bot-mcp-serverEnvironment Variables
- WECOM_WEBHOOK_URL
Security Notes
The server exposes `send_wecom_file` and `send_wecom_image` tools that accept local file paths (`file_path`, `image_path`) from AI agents. While basic existence and file type checks are performed, the source code does not show explicit path sanitization or canonicalization to prevent path traversal attacks (e.g., `../../etc/passwd`). An AI agent, if compromised or maliciously crafted, could potentially read or upload arbitrary files from the server's filesystem to WeCom. Additionally, the `download_image` function retrieves content from user-provided URLs, which could pose an SSRF risk if not properly constrained or validated beyond basic content-type checking. The `message_history` is stored as a global list, which could lead to memory exhaustion (Denial-of-Service) in a long-running server process interacting with multiple clients over time, as it accumulates messages indefinitely.
Similar Servers
slack-mcp-server
Model Context Protocol (MCP) server providing real-time and historical Slack data access to AI models.
tmcp
Build Model Context Protocol (MCP) servers for AI agents to interact with external tools and data sources, enabling LLMs to access context and perform actions.
qiniu-mcp-server
Provides a Model Context Protocol (MCP) server that enables AI models to interact with Qiniu cloud services including storage, intelligent multimedia processing, CDN, and live streaming.
mcp-advisor
Provides LLMs and humans with comprehensive, version-controlled access to the Model Context Protocol (MCP) specification and documentation through prompts and resources.