ClawHub

QQ Bot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent official QQ Bot plugin, but it gives authorized bot admins broad messaging, media, reminder, log-export, and configuration powers that should be used carefully.

Install only if you intend this bot to have QQ admin/messaging authority. Restrict QQBot allowlists to trusted admins, be cautious with /bot-approve off and /bot-logs, configure STT only with a provider you trust, periodically clear downloaded media if needed, and avoid putting instruction-like text into reminders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The module reads a client secret from an arbitrary filesystem path supplied in configuration via fs.readFileSync(accountConfig.clientSecretFile, "utf8"). Even if intended for convenience, this expands a config resolver into a local file-reading primitive and could expose unintended local files if an attacker can influence configuration values.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /bot-logs command enumerates log locations from broad filesystem paths, configuration files, and environment-derived directories, then packages recent log contents into a downloadable attachment. Logs commonly contain secrets, tokens, internal paths, prompts, user content, and operational metadata, so this creates a powerful local file read and exfiltration capability even if restricted to authenticated users.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The /bot-clear-storage command permanently deletes files from the host filesystem under the QQBot downloads area after an in-chat confirmation. Although scoped to an application directory, it is still a destructive host-file operation exposed through chat commands, so misuse, authorization mistakes, or path-resolution bugs could cause data loss.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /bot-approve, /bot-group-allways, and /bot-streaming commands modify persistent runtime configuration, including the ability to disable execution approval by setting security=full and ask=off. Exposing security and behavioral configuration changes through chat significantly increases risk because a compromised or mis-authorized account can weaken protections and alter bot behavior persistently.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Voice attachments are sent to an external OpenAI-compatible STT endpoint using configured credentials, which can disclose user audio and potentially sensitive speech content to a third party. The code performs this transfer automatically when STT is configured, with no evidence at the call site of consent, per-conversation opt-in, or redaction controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code accepts attacker-controlled http/https URLs and will either pass them to upload handlers or actively download them via downloadToFallbackDir, creating an SSRF-style network fetch primitive. In an agent skill context, model output or user-influenced media tags can trigger outbound requests to internal services or cause the host to retrieve sensitive/internal-only resources without explicit approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The log export flow creates a downloadable file from collected logs and returns it without clearly warning that logs may contain sensitive information. This increases the chance of inadvertent disclosure because authorized users may treat the export as routine despite embedded secrets or private data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that user-sent images are automatically downloaded to local storage, but it provides no notice about consent, retention period, cleanup, or access controls for those files. This creates a privacy and data-handling risk because untrusted user content is persisted locally and may remain available for later access, reuse, or leakage beyond the original interaction.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger rule is very broad: ordinary mentions of reminders, alarms, timing, or phrases like '叫我' force tool invocation and can create scheduled jobs from casual conversation. Because this skill creates persistent outbound QQ reminders, overbroad activation increases the chance of unintended job creation, surprise notifications, and accidental spam-like behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description says only 'scheduled reminders' but does not clearly disclose that the skill will create, list, and cancel persistent scheduled jobs that later send proactive QQ messages. Users and operators may not realize they are authorizing durable background actions, which weakens informed consent and can lead to unexpected outbound messaging behavior.

Ssd 1

High
Confidence
97% confidence
Finding
User-controlled reminder content is interpolated directly into a future agent instruction string: "Please remind the user about: ${content}". An attacker can supply content that includes instruction-like text to override the scheduled agent's behavior, potentially causing the later agent turn to ignore its reminder purpose, exfiltrate data available in that context, or perform unintended tool actions.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal