Qmsg Push
PassAudited by ClawScan on May 10, 2026.
Overview
This is a small Qmsg notification sender that appears purpose-aligned, but users should notice it still needs a Qmsg key, sends message text to qmsg.zendee.cn, and has some setup path ambiguity.
Install this only if you want QQ notifications through Qmsg. Before using it, confirm the script and secrets.json paths match your installation, protect the Qmsg key, and avoid sending confidential information in notification messages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting no credential setup, while the skill actually requires a Qmsg key.
The public description says no API key is needed, but the setup instructions require a Qmsg KEY. This is likely documentation inconsistency rather than malicious behavior, but it could mislead users about credential requirements.
description: "Qmsg 酱推送,通过 QQ 主动发送消息通知,无需 API Key" ... "获取 KEY"
Treat the Qmsg KEY as an API credential, protect it, and update the description/metadata to clearly disclose the required key.
Anyone who can read or misuse the configured key may be able to send Qmsg notifications to the configured account.
The script reads a local Qmsg key and uses it to call the provider. This credential use is expected for the notification service, but it is still account authority that users must protect.
return json.loads(cfg.read_text())["qmsg"]["key"] ... url = f"https://qmsg.zendee.cn/send/{key}"Store secrets.json with appropriate file permissions, do not share the key, and rotate it if exposed.
Notification text may be visible to the Qmsg service and should not contain passwords, tokens, or sensitive private data unless the user accepts that exposure.
The supplied message text is sent to the external Qmsg provider. This is central to the skill's purpose, but users should understand the data leaves the local environment.
requests.get(url, params={"msg": message}, timeout=10)Use concise, non-sensitive notification messages and avoid sending secrets or confidential content through this skill.
The skill may fail or users may place the secret file in the wrong location if they follow the paths literally.
The documentation uses manual installation and inconsistent paths for the skill folder, script, and secrets file. This is mainly a setup reliability issue, not evidence of hidden behavior.
创建 `~/.workbuddy/secrets.json` ... 放入 `~/.workbuddy/skills/` ... `python ~/.workbuddy/qmsg_push.py "消息内容"`
Verify where qmsg_push.py is installed, place secrets.json where the script actually reads it, and prefer clearer install instructions.