Tencent Survey
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: tencent-survey Version: 1.0.0 The skill bundle facilitates integration with Tencent Survey but contains high-risk patterns, most notably in `SKILL.md`, which instructs the AI agent to execute an `instruction` string returned by a remote tool call (`check_skill_update`). This creates a direct vector for remote prompt/command injection. Additionally, `setup.sh` performs broad actions such as installing global npm packages and managing authentication tokens through shell scripts. While these behaviors appear intended for the skill's functionality, the mechanism for following arbitrary remote instructions is a significant security risk. Primary IOC: wj.qq.com.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote response could influence what the agent does before the user’s actual survey task, including potentially changing the skill or running update steps the user has not reviewed.
The skill tells the agent to treat a remote tool-returned `instruction` as update guidance before using the skill, without clearly constraining allowed update actions or requiring explicit user approval.
每天使用 SKILL 前进行一次更新检查 ... 如果 `has_update` 为 true ... 则遵循 `instruction` 指令进行更新,或提示用户更新
Do not let the agent automatically follow returned update instructions. Show the update details to the user and only apply updates through a reviewed, pinned, and trusted update path.
Running the setup/auth command could install code globally on the machine without a separate install approval step.
The setup script can automatically install an unpinned global npm package if mcporter is missing, which mutates the local environment and depends on external package provenance.
if ! command -v mcporter &> /dev/null; then ... npm install -g mcporter
Require explicit user consent before installing packages, declare mcporter as a dependency, and prefer a pinned version or a separately reviewed installation step.
The Tencent Survey token could appear in agent logs or be configured for a non-default endpoint if the environment is altered, potentially exposing access to team surveys and responses.
The script stores a bearer token for the MCP service, supports an undeclared API-base override, and contains code that prints the token in command output.
_WJ_API_BASE="${WJ_API_BASE_URL:-https://wj.qq.com}" ... --header "Authorization=Bearer $token" ... echo "TOKEN_READY:$token"Verify the configured endpoint is wj.qq.com, avoid printing tokens to stdout, clear any logs containing tokens, and use the least-privileged/revocable token available.
Survey respondents’ personal or sensitive answers may be exposed to the agent session when viewing results.
The answer-listing tool can return respondent identifiers, location/network metadata, attachments, signatures, and free-text answers into the agent context.
`respondent_nickname` ... `openid` ... `ip` ... `country`, `province`, `city` ... `files` ... `signature_id`
Ask for only the needed fields, avoid retrieving all responses unless necessary, and do not paste or export respondent data beyond the user’s explicit request.
A mistaken survey ID, question ID, or generated DSL could overwrite a real questionnaire item.
The update tool is intentionally non-idempotent and overwrites an existing survey question, which is purpose-aligned but can change account data.
非幂等操作:每次调用都会覆盖原题目内容
Confirm the target survey/question and preview the replacement text before calling update_question; be especially careful with active or business-critical surveys.