Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Qwen Code
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a real Qwen CLI wrapper, but it encourages background auto-approved coding runs and includes persistent agent/skill management features that deserve review before installation.
Install only if you intentionally want an OpenClaw skill that can run Qwen Code against your projects. Keep it limited to a version-controlled workspace, avoid YOLO/auto-approve unless you explicitly want unattended changes, verify your Qwen credentials, and watch for any created skills, sessions, MCP servers, or extensions under your Qwen configuration.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A Qwen process could make broad project changes in the background, and multiple such processes could run at once if the agent follows these instructions.
Why it was flagged
The skill encourages background Qwen execution with auto-approval and parallel runs, which can modify code or project files without step-by-step confirmation.
Skill content
command:"qwen -p 'Refactor this function' -y" ... "YOLO mode for building" — `--yolo` auto-approves changes ... "Parallel is OK" — run many Qwen processes at once
Recommendation
Use YOLO mode only after explicit user approval and only in a disposable or version-controlled workspace; prefer review/dry-run modes for sensitive repositories.
What this means
Users may believe all file changes will be confirmed even when the skill's recommended workflow can auto-approve them.
Why it was flagged
The security note says modifications require confirmation, but the same artifact documents and recommends an auto-approve mode that bypasses that confirmation.
Skill content
"All code generation and modifications require user confirmation" ... "YOLO mode (auto-approve)" ... `qwen -p 'Refactor this function' -y`
Recommendation
Update the documentation to state clearly that YOLO/`-y` bypasses confirmations and should never be used unless the user explicitly asks for it.
What this means
If untrusted text reaches these command arguments, it could cause unintended shell behavior beyond running the intended qwen subcommand.
Why it was flagged
The script constructs a shell command by joining arguments and passing them to execSync, which can interpret shell metacharacters if arguments are not tightly controlled.
Skill content
execSync(`qwen ${mcpArgs.join(' ')}`, { stdio: 'inherit' });Recommendation
Use spawn or execFile with an argument array for all qwen invocations, and validate or escape any user-provided command arguments.
Medium
What this means
Installing or invoking this wrapper could lead to persistent agent/skill artifacts that remain available after the original task is finished.
Why it was flagged
The script can create persistent Qwen skill files in the user's home directory, which extends beyond one-off code review or task execution.
Skill content
const SKILLS_DIR = path.join(process.env.HOME, '.qwen/skills'); ... fs.writeFileSync(path.join(skillDir, 'index.js'), `// ${skillName} Skill\nmodule.exports = { name: '${skillName}', execute: async (ctx) => {} };\n`);Recommendation
Require explicit user confirmation before creating skills, restrict skill names to safe path components, and document how to list and remove created files.
What this means
The skill uses the user's Qwen/DashScope account context, which may affect API usage, billing, and access to configured models.
Why it was flagged
The wrapper reads Qwen configuration and authentication state from the user's home directory to check whether OAuth or an API key is configured.
Skill content
const SETTINGS_FILE = path.join(QWEN_DIR, 'settings.json'); ... settings.env?.BAILIAN_CODING_PLAN_API_KEY
Recommendation
Confirm which Qwen account and API key are configured before running the skill, and avoid using highly privileged credentials in shared workspaces.
What this means
Old project context or prompts may be reused in future runs, which can be helpful but may also carry stale or sensitive information.
Why it was flagged
The skill documents resuming previous Qwen sessions and identifies persistent local chat storage, so prior context may influence later tasks.
Skill content
`--continue` - 恢复当前项目的最近会话 ... `--resume <id>` - 恢复指定会话 ID ... 会话数据: `~/.qwen/projects/<cwd>/chats`
Recommendation
Review or clear Qwen session history for sensitive projects, and avoid `--continue` or `--resume` unless you intend to reuse prior context.
What this means
Users rely on the current upstream Qwen package version and npm distribution integrity when following the setup instructions.
Why it was flagged
The external Qwen CLI install is expected for this wrapper, but using a global '@latest' package means the installed code can change over time.
Skill content
npm install -g @qwen-code/qwen-code@latest
Recommendation
Install from a trusted source, consider pinning a known-good version, and review upstream Qwen CLI release notes before upgrading.