ClawHub

qqbot

Security checks across malware telemetry and agentic risk

Overview

The QQ bot mostly matches its stated purpose, but it needs review because it ships a real-looking QQ secret and handles chat content with weak security guidance.

Review before installing. Replace and rotate any QQ credentials, treat config.example.json as exposed if that secret is real, protect ~/.openclaw/workspace with restrictive permissions, avoid using this in sensitive chats until logging and queue retention are understood, and remove or ignore the ClawHub publishing scripts if you only need the bot.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs users to place the QQ AppSecret into JSON and Python configuration files, but it does not pair that instruction with safeguards such as file permission restrictions, secret-store usage, redaction guidance, or warnings against committing credentials to source control. This increases the chance of credential leakage through backups, shared workspaces, screenshots, logs, or repositories, which could allow an attacker to impersonate the bot or access related platform APIs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation tells users to inspect bot logs and describes queue/request-response files, but it does not warn that these artifacts may contain message content, identifiers, or operational metadata. In a messaging bot context, that omission is risky because users may leave sensitive chat data in plaintext log files or world-readable workspace directories, leading to privacy exposure or unintended retention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically selects a local ZIP file from the user's Desktop and uploads it into a browser session pointed at a remote site, but it does not present a clear consent prompt or verify that the user intended this exact file to be transmitted. Because the browser remains interactive and is intended for publication, this creates a real risk of unintended disclosure of local content if the file path is wrong, stale, or sensitive.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes user identifiers, usernames, message content, and timestamps into predictable local files under ~/.openclaw/workspace/qq_queue with no access controls, minimization, or disclosure. This creates a privacy and data exposure risk if the local system is multi-user, compromised, backed up, or monitored by other software.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Incoming user messages are automatically forwarded into an external/local AI processing path without any visible consent, notice, or policy boundary. That broadens the data-sharing surface and may expose private chat content to another component, operator, or model pipeline beyond the QQ bot itself.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal