Onebot Adapter 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OneBot/QQ adapter, but it includes under-scoped group moderation powers and verbose message logging that users should review before installing.

Install only if you intend to let OpenClaw operate a QQ bot through a OneBot server. Prefer a local or private server with token authentication, use a bot account with limited group privileges, avoid plaintext remote endpoints, and disable or sanitize verbose event logging before using it with real chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation instructs use of environment variables and direct network connections to local OneBot HTTP/WebSocket endpoints, but no permissions are declared. This creates a transparency and governance gap: users or hosting systems cannot accurately assess that the skill reads secrets and communicates over the network, increasing the chance of unintended data exposure or unauthorized outbound access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The stated purpose is basic QQ message send/receive integration, but the documented behavior implies broader administrative and surveillance-capable operations such as enumerating friends/groups, reading/deleting messages, and performing group moderation actions. This mismatch is dangerous because operators may grant or install the skill expecting limited messaging functionality while it can exercise significantly more powerful actions against accounts, chats, and group members.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The client exposes account-enumeration methods and multiple administrative group actions that exceed the stated adapter purpose of sending and receiving QQ messages. In an agent context, extra capabilities expand the blast radius: if the skill is invoked unexpectedly or prompt-influenced, it could enumerate contacts/groups or perform unauthorized moderation actions.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The adapter includes direct moderation primitives such as kicking users, banning users, and changing group cards/names, which are powerful state-changing actions unrelated to basic message transport. In a bot/agent environment, these capabilities are dangerous because any misuse, compromised workflow, or prompt-triggered action can immediately disrupt communities and abuse the bot's privileges at scale.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The listener prints full incoming event payloads, which can include private messages, group messages, user identifiers, notices, and other sensitive metadata. In a QQ/OneBot integration context, this increases the risk of leaking personal or operational data into logs, terminals, container logs, or centralized logging systems that may be accessible beyond the intended operator.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal