ClawHub

Napcat Qq Bridge Installer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real QQ/NapCat/OpenClaw installer, but it creates an under-protected local bridge that can expose chat logs, configuration, tokens, and message-sending controls.

Install only on a dedicated Windows machine or dedicated bot QQ account after reviewing the generated config, firewall exposure, bridge port, NapCat WebUI/API settings, chat-log directory, and tokens. Avoid personal QQ sessions or shared networks unless you add authentication, restrict services to localhost, and are comfortable with the bridge being able to read chats and send QQ messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill describes significant capabilities—filesystem access, network downloads, and shell execution—yet does not declare permissions or provide an explicit trust boundary. That mismatch is dangerous because an agent or reviewer may underestimate what the skill can do, especially since it installs software, launches containers, and modifies local runtime files on a Windows host.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The runtime exposes a broad HTTP management surface (`/health`, `/logs`, `/logs/:filename`, `/config`, `/send_qq`) that goes well beyond the stated installer/start/repair/smoke-test scope. In the context of a local QQ bridge, this materially increases attack surface and creates persistent remote-control functionality that can leak data and send messages if the port is reachable by other local users or the network.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`POST /send_qq` allows any caller to send arbitrary QQ messages through the configured bot with no authentication or authorization checks. An attacker who can reach the HTTP port can impersonate the bot, spam users/groups, or abuse the account for social engineering, and this capability is unrelated to the installer's declared purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The bridge exposes `/logs`, `/logs/:filename`, and `/config` without authentication, disclosing chat transcripts and full runtime configuration, including sensitive operational details such as API URLs/tokens and monitored groups. This enables privacy compromise and can provide the secrets and context needed for further abuse of the bridge and connected services.

Missing User Warnings

High
Confidence
98% confidence
Finding
These endpoints expose sensitive data and trigger side effects without warning and, more importantly, without access control. In practice this is not merely a disclosure issue: unauthenticated access to config, logs, and outbound messaging materially compromises confidentiality and integrity of the QQ bridge.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code downloads a ZIP from a GitHub release and extracts it with ZipFile.extractall() without validating archive member paths or verifying integrity. A malicious or compromised release asset could use zip-slip path traversal or overwrite arbitrary files under the executing user's permissions.

External Transmission

Medium
Category
Data Exfiltration
Content
Download sources used by the bundled script:

- `https://api.github.com/repos/NapNeko/NapCatQQ/releases/latest`
- `winget install --id Tencent.QQ.NT --exact`

## Workflow
Confidence
73% confidence
Finding
https://api.github.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal