Qwen Orchestrator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s behavior matches its stated Qwen Chat automation purpose, but it uses a persistent logged-in browser profile and background daemon that users should understand before enabling.

Install only if you are comfortable with an OpenClaw skill controlling a Chromium browser logged into Qwen and sending selected prompts/stdin content to chat.qwen.ai. Prefer a dedicated Qwen account, keep the .profile and .sessions directories private, stop the PM2 daemon when done, and review dependency installation because the published source/provenance is limited.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI03: Identity and Privilege Abuse

Medium

What this means

Prompts are sent using the user’s logged-in Qwen browser session, and the local profile may contain account session data.

Why it was flagged

The skill stores and reuses a dedicated Chromium profile, which can contain Qwen login/session state.

Skill content

const PROFILE_DIR = path.join(__dirname, '.profile'); ... userDataDir: PROFILE_DIR

Recommendation

Use a dedicated Qwen account/profile if possible, do not publish the .profile directory, and clear or stop the daemon when finished.

ASI10: Rogue Agents

Medium

What this means

A background Chromium/Qwen process may remain running and authenticated after the immediate task is done.

Why it was flagged

The skill intentionally supports a long-running daemon managed outside a single request.

Skill content

Persistent daemon (~35ms startup), health checks, graceful shutdown, PM2 management.

Recommendation

Start the daemon only when needed, monitor it with PM2, and stop it with the documented PM2 stop command when not in use.

ASI05: Unexpected Code Execution

Medium

What this means

This is common in some Puppeteer environments, but it lowers browser isolation and may affect service-policy expectations.

Why it was flagged

The daemon launches Chromium with flags that reduce browser sandboxing and hide automation signals.

Skill content

'--no-sandbox', '--disable-setuid-sandbox', '--disable-blink-features=AutomationControlled'

Recommendation

Run the skill in a contained environment, keep Chromium/Puppeteer updated, and avoid using it for arbitrary browsing.

ASI06: Memory and Context Poisoning

Low

What this means

Prior chat content can influence later answers in the same named session, which may be undesirable for unrelated or sensitive tasks.

Why it was flagged

Named sessions intentionally preserve Qwen chat context for follow-up prompts.

Skill content

`--session NAME` | Persistent context across requests

Recommendation

Use separate session names for separate tasks and run --end-session when the context should no longer be reused.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Dependency installation may fetch browser automation code and related packages, depending on how the skill is installed.

Why it was flagged

The skill depends on Puppeteer from npm; package-lock is present, but installation/provenance is not described by an install spec.

Skill content

"dependencies": { "puppeteer": "^24.20.0" }

Recommendation

Install using the checked-in lockfile where possible and verify the skill source/provenance before use.