ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Napcat Qq Bridge Installer

v1.0.1

Install, start, repair, and smoke-test a Windows QQ + NapCat + OpenClaw bridge. Use this when the user explicitly wants an end-to-end local QQ bot setup, nee...

0· 381·1 current·1 all-time
by@sunnyspot114514

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sunnyspot114514/napcat-qq-bridge-installer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Napcat Qq Bridge Installer" (sunnyspot114514/napcat-qq-bridge-installer) from ClawHub.
Skill page: https://clawhub.ai/sunnyspot114514/napcat-qq-bridge-installer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install napcat-qq-bridge-installer

ClawHub CLI

Package manager switcher

npx clawhub@latest install napcat-qq-bridge-installer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and included files (scripts/manage.py, bridge.mjs, start/stop bat templates) all align: they install NTQQ via winget, download NapCat releases from GitHub, install/configure a bridge, and bootstrap an OpenClaw container via WSL+Docker. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
Instructions perform privileged local operations that are expected for this task: downloading and extracting NapCat, writing runtime config under the chosen runtime root, querying the registry for QQ, installing via winget, starting processes, and launching NapCat by injecting/launching a DLL into QQ. These actions are within scope but are intrusive (process injection, service management, admin elevation). The SKILL.md does not ask for unrelated files or secrets.
Install Mechanism
This skill is instruction-driven with bundled scripts; it downloads NapCat assets at runtime from the GitHub Releases API (api.github.com), and uses well-known tools (winget, docker images from Docker Hub). There is no opaque third‑party URL shortener or personal server in the manifest. No install spec is included (lowest platform install risk).
Credentials
The skill declares no required environment variables or credentials. Runtime behavior generates local tokens and writes local config files under the selected runtime root. It does require administrative rights for some operations (start-all.bat elevates) and access to WSL/Docker, which is proportionate for installing and running a local bridge.
Persistence & Privilege
always:false and user-invocable:true. The skill creates local files, a Docker container/volume, and start/stop scripts in the chosen runtime root, but does not request permanent platform-level privileges or modify other skills’ configs. It will attempt to run commands requiring admin/WSL privileges, which is expected but sensitive.
Assessment
This skill appears to do what it says, but it performs intrusive local operations that you should understand before running: it will download and extract NapCat code from GitHub, install Tencent.QQ.NT via winget if needed, write configuration and token files into the chosen runtime folder, create/start a Docker container in WSL, and launch NapCat by injecting/starting helper executables/DLLs into the QQ process. Only install/run this on a machine you control and trust (or inside a VM). Review the downloaded NapCat release and bundled files before executing, be prepared to approve admin elevation, and expect a manual browser OAuth step for OpenClaw/OpenAI onboarding. If you need higher assurance, download NapCat manually (or verify release checksums) and inspect the extracted binaries before using the automated installer.
!
assets/runtime/bridge.mjs:4
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9kz7fd1qknn9prm1b8ypqh82ktdj
381downloads
0stars
2versions
Updated 17h ago
v1.0.1
MIT-0
@sunnyspot114514
latest
Download

NapCat QQ Bridge Installer

Overview

Use this skill for Windows hosts that need a local QQ bot stack built around NTQQ, NapCat, and an OpenClaw agent running through WSL + Docker.

This skill is script-driven. Prefer the bundled Python entrypoint instead of rewriting the setup flow by hand:

  • scripts/manage.py

The script can:

  • install NTQQ with winget if QQ is missing
  • download the latest public NapCat release from GitHub at runtime
  • overlay a local bridge.mjs, start-all.bat, and stop-all.bat
  • generate config/bridge.json and config/onebot11_<qq>.json
  • bootstrap a basic OpenClaw Docker container if requested
  • start, stop, repair, health-check, and smoke-test the bridge

When To Use It

Use this skill when the user asks for any of the following:

  • install a QQ bot on Windows
  • wire NapCat to OpenClaw
  • download NTQQ / NapCat automatically
  • repair a broken QQ bridge
  • start or stop an existing NapCat + OpenClaw runtime
  • verify whether QQ replies are still flowing

Do not use this skill for official QQ APIs or cloud-hosted bot platforms. This is for local unofficial automation with NapCat.

Host Prerequisites

Expect these host tools to exist or be installable on demand:

  • Windows with Python 3 available as python
  • winget for installing Tencent.QQ.NT
  • wsl.exe
  • Docker inside the selected WSL distro

Download sources used by the bundled script:

  • https://api.github.com/repos/NapNeko/NapCatQQ/releases/latest
  • winget install --id Tencent.QQ.NT --exact

Workflow

1. Pick the runtime root

Default runtime root:

  • C:\Users\<user>\NapCat.OpenClaw

If the user already has an extracted NapCat runtime, point -Root at that folder and prefer repair over install.

2. Run the bundled manager

Typical install:

python .\scripts\manage.py `
  -Action install `
  -Root C:\Bots\NapCat.OpenClaw `
  -BotQq 123456789 `
  -AdminQq 987654321 `
  -GroupIds 123456,234567 `
  -BootstrapOpenClaw

Typical repair:

python .\scripts\manage.py `
  -Action repair `
  -Root C:\Bots\NapCat.OpenClaw `
  -BotQq 123456789

Start / stop / health / smoke test:

python .\scripts\manage.py -Action start -Root C:\Bots\NapCat.OpenClaw
python .\scripts\manage.py -Action stop -Root C:\Bots\NapCat.OpenClaw
python .\scripts\manage.py -Action health -Root C:\Bots\NapCat.OpenClaw
python .\scripts\manage.py -Action smoke-test -Root C:\Bots\NapCat.OpenClaw

3. Handle OpenClaw auth when needed

If the OpenClaw container is new or unauthenticated, the user still needs one browser login step for openai-codex.

Use:

python .\scripts\manage.py -Action auth -Root C:\Bots\NapCat.OpenClaw

That action opens a terminal with the recommended onboarding command. Do not promise fully unattended OAuth login.

4. Validate the running bridge

After install or repair, always run:

  • health
  • smoke-test

If the user already has a live QQ session, prefer a private-message self-test to the configured admin QQ.

Safety And Publishing Constraints

  • This skill is public. Never hardcode a real QQ number, group ID, token, container auth blob, or local secret into the published files.
  • Generate local tokens at install time inside config/bridge.json and config/onebot11_<qq>.json.
  • Generate config/.env and config/webui.json values locally for NapCat quick-login fallback. Do not publish real runtime secrets.
  • Download NTQQ and NapCat from public runtime sources at execution time. Do not bundle vendor binaries into the skill.
  • If the OpenClaw container already exists, repair it in place instead of deleting user data.
  • Do not assume quick login can bypass every QQ verification challenge. QQ may still require a fresh verification step.

Bundled Resources

  • scripts/manage.py: main entrypoint for install, auth, start, stop, repair, health, and smoke test
  • assets/runtime/bridge.mjs: generic Windows-host bridge that talks to NapCat and calls OpenClaw through wsl docker exec ... openclaw agent
  • assets/runtime/start-all.bat.txt: rendered into the runtime root
  • assets/runtime/stop-all.bat.txt: rendered into the runtime root

Comments

Loading comments...