Security audit
QQ Bot
Security checks across malware telemetry and agentic risk
Overview
This official QQ Bot plugin is coherent and purpose-aligned, but it can send messages, handle media, schedule reminders, and manage QQ channel resources when configured with bot credentials.
Install only for bots you intend to connect to QQ, use scoped QQ Bot permissions, keep client secrets in OpenClaw secret/env mechanisms, restrict allowFrom/groupAllowFrom for sensitive deployments, and review any agent-requested channel write or delete action before approving it.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
59/59 vendors flagged this plugin as clean.
Static analysis
No suspicious patterns detected.
