Onebot Adapter 1.0.0
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real OneBot/QQ adapter, but it gives the agent powerful QQ bot actions such as sending, deleting, and moderating messages without clear approval or scope limits.
Before installing, make sure you trust the publisher and run it only with a dedicated, low-privilege QQ bot. Keep OneBot on localhost or a trusted network, require a token, avoid logging full message events, and add explicit approval/allowlist checks before allowing the agent to send messages or perform group moderation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or a copied handler uses these methods incorrectly, it could send unwanted QQ messages or perform disruptive group moderation actions.
These callable methods can post to groups, recall messages, kick or ban members, and rename groups through the QQ bot account. The provided artifacts do not show confirmation prompts, allowlists, role checks, or rollback safeguards around these high-impact actions.
def send_group_msg(...): ... "/send_group_msg" ... def delete_msg(...): ... "/delete_msg" ... def set_group_kick(...): ... "/set_group_kick" ... def set_group_ban(...): ... "/set_group_ban" ... def set_group_name(...): ... "/set_group_name"
Require explicit user approval for sending, deleting, kicking, banning, or renaming; restrict allowed groups/users; and add sender/admin authorization checks before any moderation action.
Anyone or any agent flow with access to the token and endpoint may be able to act as the configured QQ bot within the OneBot server's permissions.
The client uses a bearer token from the environment to act through the OneBot/QQ bot account. This is expected for the integration, but it is sensitive delegated authority and is not reflected in the registry's credential declarations.
self.token = token or os.getenv("ONEBOT_TOKEN", "")
...
self.headers["Authorization"] = f"Bearer {self.token}"Use a dedicated low-privilege bot account, keep the token local and secret, rotate it if exposed, and document the credential requirement in metadata.
QQ chat content and identifiers may be exposed to logs or model-visible output when the listener runs.
The listener receives arbitrary QQ event payloads, prints the full event, and passes it to handlers. Private/group messages and user IDs can therefore appear in terminal output or logs.
message = await ws.recv()
event = json.loads(message)
print(f"\n[Event] {json.dumps(event, ensure_ascii=False, indent=2)}")
await self._handle_event(event)Run the listener only in trusted environments, avoid persistent logging of full events, redact sensitive fields, and treat incoming QQ messages as untrusted input.
Users have less external context for verifying who maintains the code or where updates should come from.
The artifacts provide no upstream source or homepage and no install specification for the included helper scripts. This is not malicious by itself, but it reduces provenance clarity for a skill with account-control capabilities.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Install only if you trust the publisher, review the included Python files before use, and prefer a package with a clear source repository and declared runtime requirements.