Qqbot Installer

This skill appears to do what it says (install/upgrade an OpenClaw plugin) but has three important issues to consider before installing or running it: 1) Missing runtime requirements: the metadata does not declare that the script needs an OpenClaw CLI (openclaw|clawdbot|moltbot) or node.js. Ensure those binaries exist and are the versions you expect before running the script. 2) High-impact filesystem changes: the script will move, remove, and replace plugin directories under your OpenClaw extensions/config paths (defaults to $HOME/.openclaw/extensions). It can rm -rf legacy directories and will delete backups on successful install. Back up your OpenClaw config/plugins beforehand, or run this in a safe test environment. 3) Arbitrary code execution via npm lifecycle scripts: when the CLI installs an npm package it will run package lifecycle scripts. The installer will also explicitly execute a plugin's scripts/postinstall-link-sdk.js with node. That means installing an untrusted plugin version can execute arbitrary JavaScript on your host. To reduce risk,: - Review the specific npm package source and version before installing (or pin to a vetted version). - Run the installer manually in a sandbox/container or on a staging instance first. - Inspect outputs and logs before accepting success; if the script fails, do not assume safe state — check rollbacks/backups. If you still want to use this skill, ask the publisher to update the metadata to list required binaries (node, openclaw/clawdbot/moltbot) and to document exact permissions and paths the script modifies. If you cannot verify the package or prefer caution, avoid running this automatically and run the script manually after review.