量子密信-Openclaw对接
Security checks across malware telemetry and agentic risk
Overview
If deployed as instructed, this IM bridge can let a public message run server commands and send agent replies or local files to attacker-chosen destinations.
Do not install or expose this skill as written. If you need this integration, first fix the command execution path, authenticate webhook requests, restrict callback domains, use HTTPS for all provider calls, sandbox the process, and allow local file uploads only from an approved directory with explicit confirmation.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the listener may be able to execute commands on the server running this skill.
Webhook-controlled message content is inserted into a shell command run by child_process.exec. JSON.stringify is not shell escaping; values such as command substitutions can still be interpreted by the shell.
const content = data.textMsg?.content || ''; ... const cmd = `openclaw agent --agent main --message ${JSON.stringify(content)}`; exec(cmd, (error, stdout, stderr) => {Do not deploy as-is. Replace exec with spawn/execFile using an argument array, validate and authenticate webhook requests, and run the listener in a restricted sandbox.
A prompt or compromised agent output could cause the service to upload any file readable by the Node process.
The agent's text output controls which local file path is opened and uploaded, with no allowlist, directory sandbox, file type restriction, or user confirmation.
if (replyText.includes('FILE:')) { ... const filePath = match ? match[1] : ''; if (filePath && fs.existsSync(filePath)) { ... await uploadAndSendMedia(callBackUrl, phone, groupId, filePath, false); }Only allow media export from a dedicated safe directory, require explicit user approval for uploads, and ignore file markers that reference absolute paths or parent-directory traversal.
An attacker can direct replies, phone/group metadata, or media message references to an attacker-controlled URL, and may also use the server to send requests to internal network addresses.
The inbound request supplies the callback URL used for outbound replies, and the handler shows no origin, signature, key, or domain validation before sending agent output there.
const callBackUrl = data.callBackUrl || ''; ... await postToUrl(callBackUrl, payload);
Verify webhook signatures or shared secrets, accept callbacks only from trusted Quantum Messenger domains, and reject private/internal destination addresses.
The bot key could be exposed through network interception, proxy logs, server logs, or URL recording, allowing unauthorized use of the messaging bot.
The provider credential is embedded into a URL query string sent over plaintext HTTP rather than HTTPS.
const KEY = process.env.QUANTUM_KEY || 'YOUR_QUANTUM_KEY_HERE'; const WEBHOOK_URL = `http://imtwo.zdxlz.com/im-external/v1/webhook/send?key=${KEY}`;Use HTTPS endpoints, avoid putting secrets in query strings where possible, keep the key only in environment variables, and rotate the key before production use.
The service may keep accepting messages until the user explicitly finds and stops the process.
The documented deployment starts a background listener that continues running after the shell exits.
nohup node scripts/listener.mjs > listener.log 2>&1 &
Run it under a supervised service with clear start/stop procedures, logs, firewall rules, and least-privilege permissions.