Skillv1.0.0

ClawScan security

QQBot Media Sender · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 6:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to send files to QQ, but the shipped code does not actually perform any network/send operation — it only validates files and emits tags/paths, so its stated capability is not implemented and the package is ambiguous.
Guidance: This package advertises sending media to QQ but the included sender.js only validates files and prints/emits tags (e.g., <qqimg>/abs/path</qqimg>) — it does not actually upload or send data to QQ or call any QQ API. Before installing or running it: 1) confirm how 'sending' is actually implemented in your environment (is there a separate QQBot that consumes these tags?), 2) inspect and test the CLI in a safe non-sensitive directory to verify behavior, 3) beware that it will resolve absolute file paths and read file metadata (it can enumerate and stat files you point it at), and 4) note features like compression are advertised but not implemented in the shipped code. If you need an automated sender, prefer a package that clearly documents and implements the network interaction, or ask the author for clarification. If you don't trust the author or lack clarity, do not run the tool on directories containing sensitive data.

Review Dimensions

Purpose & Capability: concernThe name/description promise 'send to QQ' (including batch sending, automatic compression, progress). However sender.js only checks files, enforces size limits, generates <qqimg>/<qqvideo>/<qqfile> tags with absolute paths, logs progress, and returns results. There are no network calls, no QQ API integration, and no code implementing compression. This mismatch (advertised sending vs. actual local tag generation) is a substantive incoherence. A plausible benign explanation is that another local QQBot service consumes these tags, but that relationship is not documented or enforced here.
Instruction Scope: concernSKILL.md instructs users to run the CLI to send files and gives examples that imply files will be transmitted. The instructions also reference scanning user directories (e.g., ~/.openclaw/workspace/*.pdf). The runtime instructions do not document that the tool merely emits tags for a separate service, so following them may give users a false sense that files were sent when they may not be. The tool reads any provided file paths and stat information (but does not exfiltrate contents).
Install Mechanism: okNo install spec is provided (instruction-only install), and the package includes the JS source and a bin entry. Nothing is downloaded from external URLs and no extraction is performed, which is low-risk from an installer perspective.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The code does not attempt to read environment secrets. This is proportionate.
Persistence & Privilege: okalways is false and there are no indications the skill requests persistent elevated privileges or modifies other skills' configurations. It is a normal CLI tool with no autonomous-install flags.