Skillv1.0.2

ClawScan security

Fully automatic Qwen registration, achieving unlimited cup renewals, with timed detection for fully automatic registration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (auto-register Qwen accounts) is coherent with its use of Python and Playwright, but it asks you to install an untrusted GitHub package, silently overwrites the agent's auth tokens (without declaring that config access), and can perform network actions that are not fully visible — proceed with caution.
Guidance: What to consider before installing/using this skill: - It requires you to pip install an unvetted package from a GitHub repository (auto-register). That package will run code on your machine — review its source before installing. - The skill will overwrite ~/.openclaw/agents/main/agent/auth-profiles.json (agent credentials) and usage-stats.json and does not keep backups. Backup those files first if you might lose important tokens. - The skill performs automated account creation and email verification (likely using external temporary-email services). This can be used to bypass API limits and may violate terms of service — be sure you understand legal/ethical implications. - The SKILL.md asks you to set system proxy env vars for network access; avoid global changes if you don't want to route all traffic. Prefer running in an isolated environment (container or VM). - If you must try it: inspect the auto-register repository code, test in an isolated VM/container, and manually back up auth-profiles.json before running. Do not grant it persistent or automatic invocation until you trust the upstream package.

Review Dimensions

Purpose & Capability: concernName/description (automatic Qwen registration) matches the code and SKILL.md: it expects to run a headless browser to create accounts and obtain tokens. However, the skill reads/writes the agent's auth-profiles.json and usage-stats.json under ~/.openclaw/agents/... — this is privileged access to the agent's stored credentials/config but the skill metadata did not declare any required config paths. Overwriting agent credentials is a higher-privilege action than a simple helper and should have been declared.
Instruction Scope: concernSKILL.md instructs installing an external pip package and Playwright, configuring proxies, and describes generating temporary email, verifying, extracting tokens, writing auth-profiles.json, resetting usage stats, and restarting the Gateway. The provided main.py indeed writes/overwrites auth-profiles.json and usage-stats.json. The runtime instructions therefore include modifying agent configuration and performing automated network-driven account creation — actions that go beyond simple local helpers and can have side effects (destructive overwrite, mass account creation).
Install Mechanism: concernThere is no formal install spec in the skill bundle; SKILL.md and requirements.txt instruct the user to pip install a package directly from a GitHub repo (git+https://github.com/2263648274/qwen-auto-register.git) and to run 'playwright install chromium'. Installing arbitrary code from an unknown GitHub repo is moderate-to-high risk because that package (auto-register) will execute arbitrary code on install/run and is not vetted here.
Credentials: concernThe skill declares no required environment variables or config paths, but the documentation encourages setting HTTP_PROXY/HTTPS_PROXY and the code reads/writes files under the agent home directory (~/.openclaw/agents/...). The skill therefore uses environment/config resources that are not declared in its metadata. It also will overwrite stored auth tokens without backing them up, which is disproportionate for a helper unless the user explicitly consents and understands the risk.
Persistence & Privilege: concernalways is false (good), but the skill modifies agent-level files (auth-profiles.json) used to store credentials. This is a form of system-wide/agent-level configuration modification rather than just operating within its own sandbox. The skill overwrites tokens (no backup) and claims to restart the Gateway (SKILL.md mentions this) — modifying agent settings in this way warrants caution.