ClawHub

OneBot Adapter

Security checks across malware telemetry and agentic risk

Overview

This is a real OneBot/QQ adapter, but it exposes live messaging and group moderation powers with weak disclosure and no safety checks.

Install only if you intend to let OpenClaw operate a QQ bot through a trusted OneBot/NapCat server. Use a dedicated bot account and token, keep endpoints local or tightly controlled, avoid running the example listener in sensitive chats unless logging is redacted, and require explicit human approval before sending messages, deleting messages, kicking or banning users, or changing group settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly relies on environment variables and network connectivity, but it does not declare those capabilities. Undeclared access reduces transparency and can cause the agent or user to authorize a skill without understanding that it can reach external services and consume secrets like ONEBOT_TOKEN. In a messaging adapter, hidden network/env usage is especially relevant because it enables outbound communication and credential use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is framed as basic QQ send/receive integration, but the referenced behavior includes broader account inspection, contact enumeration, message deletion, and group-administration actions. That mismatch is dangerous because users may grant or invoke the skill expecting simple messaging while it also exposes moderation and data-access capabilities that could be abused for privacy invasion or disruptive administrative actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The client exposes administrative actions such as kicking users, banning users, and changing group metadata, which exceed the stated skill purpose of simple QQ message send/receive integration. In an agent context, this broadens the action surface and can enable unintended or unauthorized moderation or configuration changes if the skill is invoked by higher-level automation without strict authorization controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Group moderation and configuration functions are implemented despite not being necessary for basic QQ integration, violating least-privilege expectations for the skill. In practice, an LLM agent or plugin consumer may discover and use these methods opportunistically, causing harmful state changes in QQ groups beyond messaging operations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation instructs users to send QQ messages and configure authentication tokens without warning that message contents will be transmitted to an external OneBot/NapCat server and may affect real users or groups. In a chat integration context, absence of privacy and side-effect warnings increases the risk of accidental disclosure, unintended messaging, or insecure token handling.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code provides destructive actions like kicking and banning group members with no built-in confirmation, policy checks, or safety interlocks. In an autonomous agent setting, this raises the chance of accidental or prompt-induced harmful moderation actions affecting real users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The listener logs full incoming event payloads, which can include private messages, group messages, user identifiers, and other metadata. In a messaging bridge context, this creates unnecessary exposure of potentially sensitive chat content to logs, operators, or downstream log aggregation systems, increasing privacy and data-leak risk.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal