Back to plugin

Security audit

QQ Bot

Security checks across malware telemetry and agentic risk

Overview

This official QQ Bot plugin is coherent and purpose-aligned, but it can send messages, handle media, schedule reminders, and manage QQ channel resources when configured with bot credentials.

Install only for bots you intend to connect to QQ, use scoped QQ Bot permissions, keep client secrets in OpenClaw secret/env mechanisms, restrict allowFrom/groupAllowFrom for sensitive deployments, and review any agent-requested channel write or delete action before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.