ClawHub

OpenClaw OneBot Plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin largely matches its QQ messaging purpose, but it needs review because its voice conversion path can execute shell commands with insufficiently safe path handling.

Install only if you trust the publisher and can accept local code execution risk from the voice feature. Keep OneBot endpoints on localhost or a trusted network, configure a strong access token and allowFrom, use a dedicated sharedDir, and avoid running the optional CLI sync unless you have reviewed it and need that compatibility patch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code builds shell command strings using untrusted file paths and passes them to child_process.exec, which invokes a shell. In convertSilkToMp3, silkPath and pcmPath are embedded inside a Python one-liner with single quotes, and in both conversion functions paths are interpolated into ffmpeg commands; crafted filenames containing shell metacharacters or quote-breaking characters can lead to command injection and arbitrary command execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code appends the access token to the WebSocket URL query string before connecting. Query-string credentials are commonly exposed through logs, reverse proxies, browser/debug tooling, monitoring systems, and error telemetry, which increases the chance of credential leakage and unauthorized access to the OneBot endpoint. In this gateway context, the risk is real because the code also logs connection activity and operates as a network-facing integration component.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The legacy install path unconditionally removes files and directories under the plugin destination without warning, confirmation, or validation that the target is the expected plugin path. Because PLUGIN_DIR is derived from environment-controlled values, a misconfigured or malicious OPENCLAW_HOME could cause destructive deletion of unintended user files during installation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script directly modifies JavaScript and type definition files inside the user's OpenClaw installation under the home directory, and does so automatically once the expected files are found. Even if the purpose is compatibility patching, silent in-place modification of installed tooling is risky because it changes trusted binaries/code without explicit consent, rollback support, integrity checks, or version validation.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal