Skillv1.0.2

ClawScan security

量子密信-Openclaw对接 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 5:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent with its stated purpose (integrating Quantum Messenger with OpenClaw), but the implementation contains risky behaviors — unescaped shell execution, uploading arbitrary local files to an external HTTP endpoint, and use of plain‑HTTP endpoints — that could lead to remote code execution or data exfiltration.
Guidance: This skill appears to implement the advertised Quantum Messenger <-> OpenClaw bridge, but it has concrete implementation risks you should address before deploying: - Command injection risk: the code builds a shell command with unescaped JSON (exec). Replace exec with a safe invocation (child_process.spawn with argument array) or otherwise sanitize input to avoid arbitrary command execution. - Arbitrary-file upload / exfiltration: the listener will upload any local file path returned by the AI (IMAGE:/FILE:) to an external host (imtwo.zdxlz.com). Restrict what paths are allowed, run the service with least filesystem privileges, and audit what files might be accessible. - Plain HTTP + key-in-query: the upload/send endpoints use http and include QUANTUM_KEY in the URL query string, which exposes credentials in transit and in logs. Use HTTPS endpoints and send auth in headers where possible. Verify whether imtwo.zdxlz.com is an official/trusted Quantum Messenger endpoint; if not, do not send sensitive data. - Network trust and isolation: run this service in a locked-down container or VM with minimal privileges and limited outbound network access to only the known Quantum endpoints. Monitor logs for unexpected uploads. - Additional checks: confirm the ownership/trustworthiness of the imtwo.zdxlz.com host; audit and pin the OpenClaw CLI binary you run; rotate QUANTUM_KEY after testing. If you cannot confirm the upstream endpoint and cannot harden command execution and file-access logic, treat this skill as risky and avoid deploying it on systems that hold sensitive data.

Review Dimensions

Purpose & Capability: okName/description match the code: listener receives webhook messages and forwards them to OpenClaw, then returns text/media via the Quantum Messenger webhook. Required binary (node) and QUANTUM_KEY credential are appropriate for this integration. The script expects an installed OpenClaw CLI (documented in README), so the requested items are proportionate to the declared purpose.
Instruction Scope: concernThe runtime instructions and code go beyond simple message forwarding in risky ways: the listener executes a shell command 'openclaw agent --message <json>' by interpolating JSON directly into a shell string (child_process.exec), which makes the host vulnerable to command injection from attacker-controlled input. The listener also inspects AI responses for local file paths (IMAGE:/FILE:) and, if present, will read arbitrary local files and upload them to an external endpoint — this can exfiltrate sensitive files from the server. Network calls use plain HTTP with the QUANTUM_KEY in query strings, exposing the key in transit and logs. These behaviors are functional for the feature set but are high-risk and should be hardened.
Install Mechanism: okNo external install spec (instruction-only with included scripts) — low install risk. The code does not pull remote archives or execute installation downloads. The README asks operators to ensure OpenClaw is installed separately; that is consistent and expected.
Credentials: noteOnly QUANTUM_KEY (and optionally QUANTUM_PORT) are required — that is proportionate. However, the code transmits that key in plaintext over HTTP to imtwo.zdxlz.com and uses it as a direct query parameter for upload/send operations, which increases credential exposure risk. The single env var is sensible, but transport and endpoint selection weaken that proportionality.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges; it is user-invocable and does not auto-enable itself. It does run a persistent HTTP server (normal for webhook integrations) but does not modify other skills or system-wide agent settings.