ClawHub

Openclaw Qqbot 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This official QQ bot plugin is largely purpose-aligned, but it needs review because it can export local logs broadly and silently retain and restore bot credentials.

Install only if you trust the OpenClaw QQ bot integration and are comfortable giving it QQ bot credentials plus authority to send messages, manage QQ channel resources, schedule reminders, and expose admin commands to explicitly authorized QQ users. Review who is in the command allowlist, prefer secret providers or environment/file secrets over plaintext config, manually remove credential-backup files when truly logging out, and avoid using /bot-logs unless you have checked logs for secrets or private message content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The quota-exceeded error message discloses a concrete host filesystem path and explicitly instructs the recipient to copy the file directly from the machine. This leaks internal directory structure and can encourage out-of-band access to server-hosted data, which is especially dangerous if untrusted users can trigger this code path or if the host exposes shared storage.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The log export helper claims to use configured logging paths, but the implementation enumerates environment-derived state directories, common home-directory locations, process working directories, AppData, /var/log, and temp folders. In a chat-exposed command like /bot-logs, this broad discovery behavior can unintentionally collect and export local files from more locations than operators expect, increasing the chance of disclosing sensitive runtime information.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill stores QQBot appId/clientSecret in local backup files and later restores them automatically into live configuration, but this file shows no user-facing notice, consent, or policy guard around that secret persistence. Silent persistence of credentials increases the blast radius of local filesystem compromise and can surprise operators who believed logout or config edits removed the secret.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The QR-based setup flow takes retrieved AppSecret values and writes them directly back into configuration, likely as plaintext. This creates a credential-persistence risk: secrets may end up stored in config files, backups, logs, or version control without the user's clear awareness, increasing the chance of credential compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual setup flow collects an AppSecret interactively and then persists it into configuration without directing it to secure secret storage. This can expose sensitive credentials to anyone with filesystem access and can lead to accidental leakage through config syncing, backups, or source control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The /bot-logs command exports local log files directly to the requesting user without any user-facing warning that logs may contain secrets, tokens, filesystem paths, message content, or other sensitive host and user data. Because this command is remotely accessible to authorized chat users, the missing warning and lack of minimization/redaction materially increase the risk of sensitive information disclosure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger rule is extremely broad and forces tool invocation whenever common reminder-related words appear, which can cause the skill to activate in ordinary discussion rather than clear user intent to create a reminder. In a messaging context, this can lead to unintended scheduled jobs, surprise outbound notifications, and action taken without sufficiently explicit confirmation.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal