QQ-Bot-connect
v1.0.0QQBot 消息主动推送技能。当需要向 QQ 用户或群发送消息时使用此技能。支持:(1) 主动发送消息到 QQ 对话框 (2) 发送图片/语音/文件等富媒体 (3) 群发消息。触发词:发送 QQ、推送 QQ、QQ 消息、发送到 QQ、QQ 发送。
⭐ 1· 290·2 current·2 all-time
by@jcduann
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description claim QQ message push; SKILL.md only requires reading a local config.json for an openid and using the platform 'message' tool to send to qqbot:c2c:... or qqbot:group:.... No unrelated binaries, cloud credentials, or other services are requested, so the required capabilities match the purpose.
Instruction Scope
Runtime instructions are narrowly scoped: read the skill's config.json, construct a target string, and call the 'message' tool to send text or media. The SKILL.md does not instruct reading arbitrary system files or sending data to external endpoints outside the QQ messaging channel. Note: the doc gives example local paths — the skill expects a local config file and instructs editing it for the user's openid.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install posture because nothing is downloaded or written to disk by the skill installer.
Credentials
The skill declares no required environment variables, no credentials, and its config.json contains only an openid placeholder. The requested access is proportional to the functionality (sending messages to a specified QQ target).
Persistence & Privilege
always is false (normal). The skill allows normal autonomous invocation (disable-model-invocation is false), which is platform default; because the skill can send messages, users should be aware the agent could invoke it to push messages autonomously. The skill does not request persistent system-wide privileges or modify other skills.
Scan Findings in Context
[no_findings] expected: The package is instruction-only and the regex scanner had no code files to analyze; absence of findings is expected for an instruction-only skill.
Assessment
This skill appears to do what it says: it reads a local config.json to get an openid and uses your agent's message tool to send to QQ targets. Before installing: (1) confirm you are comfortable storing the target openid in the local config file and do not place secrets there; (2) verify the 'message' tool is trusted (messages sent by the agent will be delivered to the QQ account/ group you specify); (3) test with your own account/group to avoid accidental broadcasts; (4) if you do not want the agent to send messages without explicit approval, keep autonomous invocation disabled at the agent/platform level. If you need more assurance, ask the skill author for a justification of the example paths and whether the skill ever reads other filesystem locations.Like a lobster shell, security has layers — review code before you run it.
latestvk9722fd38wzkgjzgsk3967y43x84770b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.