QQBot Media Sender

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed QQ media/file helper; the main risk is accidentally sharing the wrong local files or QQ recipient, not hidden malicious behavior.

Install only if you want an agent to prepare QQ media/file sends. Use explicit file paths, review wildcard or directory matches before sending, verify the QQ chat or group target, and avoid sharing workspace, home, temporary, or document folders that may contain private data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README encourages sending arbitrary local files, screenshots, and workspace PDFs to QQ chats and groups, but provides no warning about privacy, data classification, recipient verification, or the risk of disclosing sensitive local data. In an agent skill context, this can normalize exfiltration of user or workspace content to external recipients, especially when examples reference broad globs and group delivery.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages sending arbitrary local files, images, and documents to QQ chats and groups without any visible warning about data disclosure, privacy, or accidental sharing of sensitive workspace content. In this context, examples such as sending files from the local workspace make the risk more concrete because users may unintentionally transmit confidential documents to external recipients.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal