Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Telegram → QQ 自动转发
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a plausible Telegram-to-QQ bridge, but it builds shell commands from Telegram message text and uses local OpenClaw session/account data in ways that need review before installation.
Install only if you are comfortable with an always-running bridge that reads a local OpenClaw session file and sends matching messages through your QQ bot account. This version should be fixed before use because Telegram message text can affect a shell command; ask the publisher to use safe argument-based process execution, declare all required configuration and credentials, and provide complete plugin/install metadata.
Static analysis
Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A Telegram message mentioning the bot could potentially execute commands on the machine running this skill, not just be forwarded to QQ.
Why it was flagged
cleanText comes from Telegram session content and is inserted into a shell command without escaping or argument separation. Shell metacharacters, command substitution, or quotes in a Telegram message could cause local commands to run.
Skill content
const cmd = `openclaw message send --channel qqbot --account ${CONFIG.qqAccount} --target "${CONFIG.qqTarget}" --message "[Telegram] ${cleanText}"`; ... execSync(cmd, { encoding: 'utf-8', timeout: 30000 });Recommendation
Do not run this version as-is. Replace execSync with spawn/execFile using an argument array, disable shell interpretation, and strictly validate or escape message/account/target values.
What this means
The skill can read local agent conversation/session data and send messages through a configured QQ bot account, which may be broader authority than users expect from the registry metadata.
Why it was flagged
The skill uses a local OpenClaw agent session file and a QQ bot account by default, while registry metadata declares no required credentials, config paths, or environment variables.
Skill content
sessionFile: process.env.TELEGRAM_QQ_SESSION_FILE || path.join(... '.openclaw/agents/stockworker/sessions/bb586ba3-6b35-4def-87e9-94c0dbf6d216.jsonl'), qqAccount: process.env.QQ_ACCOUNT || 'youyanli'
Recommendation
Declare the session path, QQ account, QQ target, and required environment variables in metadata; avoid hardcoded session IDs/accounts; require explicit user configuration before sending.
What this means
Messages stored in the local session file that contain the bot mention can be copied to QQ; users should treat that session file as sensitive.
Why it was flagged
The skill intentionally uses persistent session-log content as its input source and forwards matching content to another messaging service.
Skill content
插件轮询监听 Telegram session 文件 ... 检测到包含 `@ollama_openclaw_at_dzt_bot` 的消息 ... 调用 `openclaw message send` 转发到 QQ
Recommendation
Use a narrowly scoped session file, document retention and filtering behavior, and avoid monitoring broad or private agent sessions.
What this means
Users may over-trust the package because it claims an official-looking security approval.
Why it was flagged
The package contains self-presented security approval language that is not backed by the provided registry metadata and conflicts with the unsafe command-execution code.
Skill content
审核人: OpenClaw Security Team ... 签名: ✅ Approved for Release
Recommendation
Do not rely on bundled audit claims; require independent review and remove or clearly label self-generated approval documents.
What this means
Installation and auto-start behavior may not match the documentation, making it harder to know what will actually run.
Why it was flagged
The supplied artifacts still include runnable code and documentation describing an auto-starting plugin, while referenced plugin/package files are not in the manifest.
Skill content
No install spec — this is an instruction-only skill.
Recommendation
Provide a complete install spec and include or remove references to plugin files such as package.json and openclaw.plugin.json.