Qwen Code
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Qwen CLI wrapper, but it deserves review because it encourages background/auto-approved code changes and includes raw shell wrappers plus local Qwen credential/session access.
Install only if you trust the Qwen CLI and this wrapper. Pin the Qwen package instead of using `@latest`, avoid YOLO/auto-approve except in disposable or version-controlled workspaces, review generated changes before committing, and do not pass untrusted strings into the MCP/extension wrappers until the shell execution is hardened.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Qwen may modify project files automatically, and background or parallel runs could make changes that are harder to review or stop in time.
The skill explicitly recommends an auto-approval mode for code-building/refactoring tasks, which can allow file changes without per-change human review.
YOLO mode (auto-approve) ... command:"qwen -p 'Refactor this function' -y" ... "YOLO mode for building — `--yolo` auto-approves changes"
Require explicit user approval before using `-y`/`--yolo`, prefer review or dry-run modes for real projects, and limit runs to a disposable or version-controlled workspace.
If untrusted or malformed arguments reach these commands, shell metacharacters could run unintended local commands with the user's privileges.
The MCP command wrapper builds a shell command string from command-line arguments instead of passing an argument array. Similar shell-string execution is also used for extensions.
execSync(`qwen ${mcpArgs.join(' ')}`, { stdio: 'inherit' });Replace shell-string `execSync` with `spawn`/`execFile` using argument arrays, validate allowed subcommands, and require confirmation before MCP or extension changes.
Users may overestimate the amount of confirmation they will get before changes are made.
The safety statement that modifications require confirmation conflicts with the documented auto-approval mode.
"All code generation and modifications require user confirmation" ... "YOLO mode for building — `--yolo` auto-approves changes"
Clarify that YOLO mode bypasses normal confirmation, make review mode the default recommendation, and label auto-approval as a high-risk option.
The skill can affect persistent agent behavior, not just run a temporary code task.
The script includes functionality to spawn Qwen agents and create persistent skill files under the user's Qwen skill directory.
agentArgs = ['-i', `/agent spawn ${agentName} ${task}`]; ... fs.writeFileSync(path.join(skillDir, 'index.js'), `// ${skillName} Skill\nmodule.exports = { name: '${skillName}', execute: async (ctx) => {} };\n`);Gate agent spawning and skill creation behind explicit user confirmation, validate skill names/paths, and document these capabilities in the main security section.
The skill can observe whether your local Qwen account/API key is configured and then run Qwen using your account context.
The wrapper reads local Qwen authentication settings to determine OAuth/API-key status. This is expected for a Qwen integration, and the shown code only prints a short key prefix.
const SETTINGS_FILE = path.join(QWEN_DIR, 'settings.json'); ... settings.auth || settings.accessToken ... settings.env?.BAILIAN_CODING_PLAN_API_KEY
Use a dedicated Qwen account/API key where possible and avoid running the skill in environments with unrelated sensitive credentials in the inherited environment.
A future or compromised package release could change the behavior users get when following the install instructions.
The setup uses a global, unpinned package install. Installing the Qwen CLI is central to the skill, but `@latest` makes the installed code depend on whatever version is current at install time.
npm install -g @qwen-code/qwen-code@latest
Pin the Qwen CLI version, install from a trusted source, and review release notes before upgrading.
Old prompts, outputs, or poisoned context in a project session could affect future Qwen tasks.
The Qwen CLI stores and can resume project chat sessions. This is normal for a coding assistant but means prior context may influence later runs.
会话数据: `~/.qwen/projects/<cwd>/chats` ... `--continue` ... `--resume <id>`
Use fresh sessions for sensitive work, review resumed context, and clear old Qwen project chats when they are no longer needed.