Back to skill

Security audit

Qwen Code

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Qwen Code wrapper, but it gives broad coding-agent authority that users should review before installing.

Install only if you intentionally want OpenClaw to run Qwen Code against your projects. Prefer review/default or sandbox modes, avoid YOLO on sensitive or production repositories, review what code, diffs, logs, and secrets could be sent to Qwen, and monitor any changes to ~/.qwen skills, sessions, MCP servers, and extensions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a networked CLI and relies on environment-based authentication, but it declares no permissions or capability boundaries. That under-specification is dangerous because operators may approve or invoke the skill without understanding that it can access API keys, local config, and external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose presents the skill as a task runner/code-review wrapper, but the described behavior extends into local Qwen state inspection and management of extensions, MCPs, agents, sessions, and skills under ~/.qwen. This mismatch can mislead users into granting access to a tool that can enumerate sensitive local metadata and modify broader agent tooling state beyond the requested project task.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README makes a reassuring security claim that all code generation and modifications require user confirmation, yet elsewhere it documents YOLO mode with `-y`, which explicitly auto-approves actions. In a skill that wraps an AI coding CLI and supports background execution, this inconsistency can mislead users into granting the tool more trust than warranted and increase the chance of unintended code changes or command execution without review.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security section claims all code modifications require user confirmation, but the same document promotes YOLO mode that auto-approves changes. That contradiction creates unsafe operator expectations and can cause users to run the skill believing there is an approval gate when there is not.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description is broad enough to match generic code-review and automation requests, increasing the chance the skill is invoked in situations where a less-privileged or more transparent tool would suffice. In context, that matters because this skill can trigger a networked external CLI and potentially touch local Qwen state, making overbroad activation riskier than ordinary documentation imprecision.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The rule 'NEVER offer to build it yourself' pushes a specific tool choice even when the user may not have explicitly consented to using this external CLI. While not directly exploitative, forcing tool selection can bypass safer alternatives and reduce meaningful user control over a network-enabled code-modifying workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This example sends a Git diff containing local project changes to the external `qwen` CLI, which may forward sensitive source code, secrets, internal paths, or proprietary logic to a third-party model service. The lack of any explicit disclosure, consent flow, or redaction step makes accidental data exfiltration plausible in automation or CI contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code reads a local source file and embeds its full contents into a prompt sent to the external `qwen` command, creating a direct path for disclosure of proprietary or sensitive code. Because the example presents this as normal usage without a warning, users may unknowingly upload confidential material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes a `--yolo`/automatic approval mode that approves all operations, but it does not clearly warn that this can allow destructive filesystem, command, or network actions to proceed without human review. In a background task execution skill, normalizing unsafe approval bypasses materially increases the chance of accidental or prompt-induced harmful actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples encourage piping `git diff`, PR diffs, and application logs directly into the CLI without warning that these inputs may contain source code, secrets, credentials, PII, or internal business data. Because this skill sends content to an external model/CLI service, users may unintentionally exfiltrate sensitive data through routine automation patterns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API key instructions direct users to place a live credential in `~/.qwen/settings.json` in plaintext, but omit warnings about file permissions, accidental backup/sync exposure, or leakage through local compromise. Storing long-lived secrets in plain configuration materially increases credential theft risk if the workstation, home directory, or dotfiles are exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`reviewFile` reads the full local file content and embeds it into a prompt sent to the external `qwen` CLI without any explicit warning, redaction, or consent flow. This can unintentionally disclose secrets, proprietary code, credentials, or personal data if a user reviews sensitive files under the assumption analysis is local.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The MCP and extensions wrappers execute external Qwen CLI actions that may connect to remote services, install extensions, or modify local configuration, but the wrapper provides no cautionary prompt or trust boundary notice. Users may invoke these commands believing they are harmless local operations, increasing the chance of unintended remote access or local state changes.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **Respect tool choice** — if user asks for Qwen, use Qwen. NEVER offer to build it yourself!
2. **Be patient** — don't kill sessions because they're "slow"
3. **Monitor with process:log** — check progress without interfering
4. **YOLO mode for building** — `--yolo` auto-approves changes (use in workspace only)
5. **Review mode for safety** — production code should use review mode
6. **Parallel is OK** — run many Qwen processes at once for batch work
7. **NEVER start Qwen in ~/clawd/** — it'll read your soul docs! Use target project dir or /tmp
Confidence
93% confidence
Finding
auto-approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
assets/examples/headless-mode.example.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/qwen-code.js:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/qwen-code.js:63