Security audit

Qwen Portal Auth Helper

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Qwen OAuth recovery helper, but it needs review because it can install persistent cron jobs, rewrite OpenClaw task state, and leave live OAuth details in local temporary logs.

Install only if you are comfortable with a local utility that runs OpenClaw and tmux commands, inspects cron task data, can modify your crontab, and can rewrite OpenClaw job state. Before using monitoring setup, back up and review your crontab. Treat OAuth URLs and device codes as sensitive, remove or protect /tmp qwen OAuth logs after use, and only reset task IDs you have verified belong to the affected qwen-portal jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as an OAuth/authentication helper, but it also installs a recurring cron job, which creates persistence beyond the immediate auth workflow. Even if intended for monitoring, adding scheduled execution is a materially different capability that increases risk because it can continue running unattended and could be repurposed if the monitored script changes later.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Modifying the user's crontab is a persistence mechanism with system-level operational consequences and is not strictly necessary to obtain an OAuth link or reset a task. In this context, the capability is riskier because users invoking an auth helper may not expect durable scheduled execution to be installed into their environment.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This script directly edits ~/.openclaw/cron/jobs.json and clears error/status fields for any task ID supplied, which can mask failures and tamper with scheduler state outside the narrow OAuth interaction expected by users. In the context of an auth helper, undeclared local state manipulation is dangerous because it can suppress evidence of failing or misbehaving jobs and interfere with operational monitoring.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide instructs users to overwrite `~/.openclaw/cron/jobs.json` with test data, which directly modifies local task state and can disrupt or erase real scheduled job metadata if the restore step is missed or fails. Although framed as a test procedure, this is dangerous because it normalizes destructive state replacement in documentation without prominent warnings, safer isolation, or validation that the target file belongs to a disposable environment.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README promotes extraction of OAuth links and device codes plus task-state recovery, but it does not warn that these artifacts can be sensitive or that logging/sharing them may enable unauthorized authentication flows or leak operational details. In this context, the omission is more dangerous because the skill is explicitly designed for automation, cron, and monitoring, which often route output into logs, chat transcripts, or shared terminals where secrets and recovery actions can be exposed or misused.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The README promotes automatic task-state resets and cron modifications without prominently warning that these actions change scheduler or application state. That is risky because users may run recovery steps assuming they are diagnostic-only, potentially masking failures, altering automation behavior, or creating persistence they did not intend.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code adds a cron entry without any explicit warning, approval prompt, or dry-run preview, so a user can trigger persistent changes with a single command. Silent persistence changes are dangerous because they reduce informed consent and make it easier for maintenance features to become unwanted background execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script logs sensitive OAuth material, including the authorization link and device code, to predictable files under /tmp and a daily log file. On multi-user systems or systems with permissive umask settings, other local users or processes may read these files and hijack or monitor the authentication flow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script captures the full authentication command output into a temporary file and may print it back to the terminal on errors, which can persist sensitive login data on disk. In an OAuth helper context this is more dangerous because the captured output is likely to contain live authorization URLs, device codes, and related session details usable during the authorization window.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: index.js:58