Package
Security checks across malware telemetry and agentic risk
Overview
The plugin mostly matches its Q-Claw/WMS/ERP purpose, but it ships a client secret, stores auth tokens locally, and sends token-bearing requests to a default HTTP backend.
Install only if you trust the Q-Claw backend and deployment environment. Before use, replace the packaged client secret, require HTTPS for the backend URL, understand that WMS/ERP queries and context are sent to that backend, and review where the plugin stores local authorization tokens.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the package can see and potentially reuse the embedded client secret, weakening the service's authentication boundary.
The distributed runtime config contains a client secret used for gateway HMAC authentication, exposing a shared credential inside the package rather than requiring a per-install secure secret.
"qclawClientId": "qclaw-test", "qclawClientSecret": "qclaw-test-client-secret"
Do not rely on the packaged secret; require users or the deployment environment to provide a rotated secret through secure configuration, and avoid publishing secrets in artifacts.
Business queries, account context, and authorization tokens could be exposed to the configured backend path and, if HTTP is used, to network interception.
Tool execution forwards the user's access token, input, context, and parameters to the configured backend; the runtime config's default backend is HTTP, so token-bearing traffic may not be protected in transit by default.
resolveQclawApiUrl(baseUrl, "/tool/execute"), { scene, accessToken, userInput, context: backendContext, params }Use HTTPS-only backend URLs, document exactly what data is sent, and prevent token-bearing requests from using plain HTTP.
Local users or processes with access to the auth-state file may be able to reuse Q-Claw credentials for WMS/ERP data access.
The plugin persists access and refresh credentials to local state, but the registry metadata declares no primary credential or required credential handling.
if (accessToken) persisted.accessToken = accessToken; if (refreshCredential) persisted.refreshCredential = refreshCredential; ... saveAuthStateToFile(fileMap);
Clearly disclose token storage, restrict file permissions, consider OS credential storage, and provide a documented logout/cleanup path.
The plugin may persistently update local q-wms/q-erp skill instructions, which changes future agent behavior.
The plugin includes code that can write managed skill files under the user's OpenClaw skills directory, consistent with its managed q-wms/q-erp sync behavior.
return path.resolve(homeDir, ".openclaw", "skills", skillId, "SKILL.md"); ... fs.renameSync(tmpFile, targetFile);
Review the managed skill-sync behavior and set the sync interval to 0 or disable the plugin if automatic local skill updates are not desired.
If the backend returns incorrect or unsafe text, the agent is instructed not to edit or contextualize it.
The skill instructs the agent to output backend-provided reply lines verbatim in some modes, making backend responses authoritative for final user-visible text.
`responseMode = VERBATIM`:最终回复必须严格等于 `assistantReplyLines` 按换行拼接,不得增删改写。
Only use this with a trusted backend and consider allowing the agent to add safety/context checks around backend-generated replies.