ClawHub

QG Car

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed campus bus helper that queries schedules and generates WeChat order-entry links, but its installer deserves normal supply-chain caution.

Install only if you trust the qg-skill npm package or GitHub repository and are comfortable with a global CLI plus skill-directory replacement. Prefer inspecting the installer before running it, and use the generated WeChat link to complete passenger selection and payment yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to invoke a local shell command (`qg`) and generate external WeChat links, which are code-execution and network-adjacent capabilities without any declared permissions or trust boundary documentation. Even though the described workflow is limited to schedule lookup and link generation, undeclared shell/network capability increases the risk of command misuse, unexpected side effects in the local CLI, or data exposure if the underlying tool behaves differently than assumed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer retrieves code from GitHub or npm and performs a global CLI installation, which expands the trust boundary far beyond simply installing a local skill definition. Because the skill is described as helping prepare campus bus booking links and explicitly not auto-submitting orders, fetching and executing remote package code is more capability than the stated purpose requires and creates supply-chain risk if the repository, package, or environment variables are tampered with.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script uses npm registry access and `npm install -g` to install a package system-wide, which executes package lifecycle scripts with the user's privileges and affects the broader host environment. For a skill whose stated purpose is ticket-link assistance, this is unnecessarily invasive and increases exposure to dependency confusion, package compromise, or malicious postinstall behavior.

External Script Fetching

Low
Category
Supply Chain
Content
安装 CLI,并把 Skill 同时安装到 `~/.codex/skills/qgcar-skill` 和 `~/.openclaw/skills/qgcar-skill`:

```bash
curl -fsSL https://raw.githubusercontent.com/qybaihe/qg-skill/26ed8e31342968836b672d0ea7ab2a275361779c/install.sh | bash
```

脚本会优先从 npm 安装 `qg-skill`;如果 npm 包还没发布,会自动 fallback 到 GitHub 源码构建安装。
Confidence
95% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/qybaihe/qg-skill/26ed8e31342968836b672d0ea7ab2a275361779c/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
安装 CLI,并把 Skill 同时安装到 `~/.codex/skills/qgcar-skill` 和 `~/.openclaw/skills/qgcar-skill`:

```bash
curl -fsSL https://raw.githubusercontent.com/qybaihe/qg-skill/26ed8e31342968836b672d0ea7ab2a275361779c/install.sh | bash
```

脚本会优先从 npm 安装 `qg-skill`;如果 npm 包还没发布,会自动 fallback 到 GitHub 源码构建安装。
Confidence
97% confidence
Finding
| bash

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal