ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Anywhere

v1.6.2

不是聊天机器人,是你口袋里的AI员工。Claude Anywhere 让你通过 Telegram、企业微信、QQ 随时随地读写文件、执行命令、分析图片、管理代码。Not a chatbot — your AI engineer in your pocket. Claude Anywhere lets you re...

0· 132·1 current·1 all-time
by@yizhao1978
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (Telegram/WeCom/QQ bot that reads/writes files, runs commands, analyzes images) matches the included code: bridge files and core logic implement those features and require node and the Claude CLI. However the declared requirements list only TELEGRAM_BOT_TOKEN as a required env var while the code also expects WECOM_BOT_ID/WECOM_SECRET and QQ_APP_ID/QQ_APP_SECRET when using WeCom/QQ bridges — metadata underspecifies required credentials.
!
Instruction Scope
SKILL.md and the code instruct users to install and run the bot, create systemd services, and install + log in to the Anthropic 'claude' CLI. Runtime behavior includes saving attachments to /tmp, passing local file paths to the Claude CLI and explicitly instructing the model to 'Read' local files and execute commands. That gives the remote model and any message sender the ability (via the bot and claude CLI) to read local files and execute commands on the host — which is intended for the product but is high privilege. The SKILL.md also contains a detected 'system-prompt-override' pattern (prompt-injection signal) which may indicate manipulation attempts embedded in the instructions; this needs manual review.
Install Mechanism
There is no formal install spec for the platform — SKILL.md instructs cloning the GitHub repo and running npm install and global npm install of @anthropic-ai/claude-code. That is a normal workflow for this kind of Node bot, but it results in arbitrary JS being installed and run locally. The included license-client contacts license.claudeanywhere.com and the README references external purchase endpoints (gumroad / custom domains). No opaque download-URL shorteners were observed in the provided content, but running npm install will fetch dependencies from registries — review package-lock.json if you need supply-chain assurance.
!
Credentials
Registry metadata only lists TELEGRAM_BOT_TOKEN as required, but the code reads many env keys (.env example and runtime): TELEGRAM_BOT_TOKEN, WECOM_BOT_ID, WECOM_SECRET, QQ_APP_ID, QQ_APP_SECRET, LICENSE_KEY, LICENSE_SERVER_URL, CLAUDE_PATH, CLAUDE_CWD. The code also imports a license-client that exposes getMachineId and constructs buy/activation URLs including a machine id parameter — that implies the package will compute and (likely) send a host fingerprint to the vendor's license server when checking/activating Pro. Requesting TELEGRAM_BOT_TOKEN is proportional for Telegram usage, but the omission of the other env vars in metadata is an incoherence and the machine-id/ license flow raises potential privacy/exfiltration concerns.
Persistence & Privilege
The skill does not request always:true and is user-invocable. SKILL.md suggests configuring systemd or tmux to keep the bot running as a service — that is typical for bots but does create a persistent long-lived process on the host that will have access to files and the Claude CLI. The package does not automatically force system-wide changes, but following the README will grant it persistent presence and the ability to respond to remote messages indefinitely.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md content triggered a prompt-injection pattern. While the skill is instruction-heavy and includes guidance for running a model CLI, any embedded prompt-injection or system-prompt override material in documentation or templates should be reviewed manually — it can influence how the agent or the Claude CLI is instructed to behave.
What to consider before installing
Plain-language summary and recommended precautions: - What it does: this repository implements a Telegram/WeCom/QQ bot that forwards user messages, images, and files to the local Claude CLI and returns the model's responses. It intentionally saves attachments to /tmp, instructs the model to read those files, and can schedule recurring jobs and run commands — exactly as the README claims. - Mismatches you should notice: the registry metadata only lists TELEGRAM_BOT_TOKEN as required, but the code also expects WeCom and QQ credentials if you run those bridges. The package includes a license component that computes a machine id and builds payment/activation URLs — the license flow may send an identifier to the vendor's server. - Privacy & security risks: - Running this gives the bot and the Claude CLI access to local files and (per the README) the ability to execute commands: treat it like giving remote users a shell on your machine. If a malicious user or model prompt causes the bot to run CLI commands or read sensitive files, those secrets can be exposed. - The license flow likely transmits a machine identifier (getMachineId) to external servers; this can fingerprint your host. - The code runs as a persistent service when you follow the systemd instructions, increasing the blast radius of a compromise. - Before you install/run it, consider: 1. Inspect license-client.mjs and core.mjs to confirm exactly what is sent to the license server (what machine identifiers, network endpoints, and timing). If you don't want host fingerprinting, do not enable Pro activation or block license server access. 2. Run the bot in a sandbox/container or on a non-sensitive host (not a production server) if you want to test it. 3. Use a dedicated Telegram bot account with minimal privileges and avoid reusing tokens from important accounts. Do not run as root; use a restricted user account. 4. If you need WeCom/QQ support, only provide those credentials when you intend to run those bridges and understand they are required. Metadata underspecifies these requirements — the platform will not automatically provide them. 5. Review package-lock.json and installed npm dependencies for supply-chain risk. 6. If you must run it on a server with sensitive data, consider network restrictions (eg. firewall to block calls to the license server or outgoing traffic you don't expect) and monitor outbound connections. - Additional steps to reduce risk: audit or remove the license-client code if you don't want automatic activation/fingerprint reporting; avoid using the 'auto-activate after payment' flow if you require privacy; consider replacing calls to external endpoints with stubs in a fork. Given the code's intended high privileges (file read/write, command execution, persistent service) and the metadata mismatch plus the prompt-injection signal and license/fingerprinting behavior, proceed with caution and prefer sandboxed testing.
core.mjs:649
Shell command execution detected (child_process).
cron-manager.mjs:117
Shell command execution detected (child_process).
bridge-qq.mjs:39
Environment variable access combined with network send.
bridge-telegram.mjs:28
Environment variable access combined with network send.
core.mjs:322
Environment variable access combined with network send.
license-client.mjs:38
Environment variable access combined with network send.
!
bridge-qq.mjs:22
File read combined with network send (possible exfiltration).
!
bridge-telegram.mjs:12
File read combined with network send (possible exfiltration).
!
core.mjs:13
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977p6ntb8rpvbkyjjd7fqwhhh83s27a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
Binsnode, claude
EnvTELEGRAM_BOT_TOKEN
Primary envTELEGRAM_BOT_TOKEN

SKILL.md

Claude Anywhere

🦞 龙虾与Claude Code的完美结合 / OpenClaw meets Claude Code, anywhere.

不是聊天机器人。是你口袋里的 AI 员工。 Not a chatbot. Your AI engineer, in your pocket.

Claude Anywhere 让你通过 Telegram、企业微信、QQ 随时随地:

  • 📂 读写文件 / Read/write files
  • ⚡ 执行命令 / Execute commands
  • 📷 分析图片 / Analyze images
  • 📄 文件分析 / Analyze files (PDF, Excel, CSV, code)
  • 🔄 会话恢复 / Resume sessions across devices
  • ⏰ 定时任务 / Schedule cron tasks

Pro 版 ¥39.99/月 → 立即升级

3步上手 / 3 Steps to Start

Telegram

  1. 在 Telegram 搜索 @BotFather,发 /newbot,复制 Token
  2. git clone https://github.com/yizhao1978/claude-anywhere.git && cd claude-anywhere && npm install && cp .env.example .env
  3. 填入 Token → npm run telegram → 完成

企业微信 WeChat Work

  1. 登录 work.weixin.qq.com → 应用管理 → AI助手 → 创建机器人,记录 Bot ID 和 Secret
  2. git clone https://github.com/yizhao1978/claude-anywhere.git && cd claude-anywhere && npm install && cp .env.example .env
  3. 填入 Bot ID + Secret → npm run wecom → 完成

QQ

  1. 打开 https://q.qq.com/qqbot/openclaw/index.html → 扫码 → 创建机器人 → 获取 AppID + AppSecret
  2. git clone https://github.com/yizhao1978/claude-anywhere.git && cd claude-anywhere && npm install && cp .env.example .env
  3. 填入 AppID + AppSecret → npm run qq → 完成

三平台一键启动

配好所有 Token → npm start → 自动启动已配置的平台

Free Tier (no LICENSE_KEY)

  • 5 messages/day
  • 7-day trial period
  • Single-turn conversations
  • Text only
  • Upgrade prompts on every reply

Pro (¥39.99/月 | ¥399.9/年) → https://claudeanywhere.com/buy.html

  • Unlimited messages
  • Multi-turn conversations with /resume
  • Image and file analysis
  • WeChat Work full support
  • 付款后自动开通,无需填写 License Key / Auto-activated after payment

License Activation

扫码付款后 Pro 自动开通,无需任何操作。 After WeChat Pay, Pro is activated instantly and automatically.

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…