Skillv1.2.12

ClawScan security

OpenClaw OneBot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:44 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (a OneBot/QQ channel plugin) and does not request unrelated credentials or unusual installs, but it relies on running npm/bash install scripts and uses a host shared directory — review those before installing.
Guidance: This plugin looks coherent for connecting OpenClaw to OneBot/NapCat, but take these precautions before installing: 1) inspect scripts/install.sh, scripts/sync-openclaw-cli.mjs and package.json npm scripts in the repo — they will run arbitrary code when executed; 2) restrict sharedDir to a dedicated, minimal-permission folder (do not point it at your home or sensitive data); 3) verify wsUrl/httpUrl point to a trusted NapCat/go-cqhttp host and use an access token if available; 4) consider running the install inside a container or isolated environment first; 5) prefer installing from the upstream GitHub repo (the README references a GitHub URL) or another trusted source rather than an unknown package archive.

Review Dimensions

Purpose & Capability: okThe name/description (OneBot 11 channel plugin for QQ) match the declared requirements: node/npm and the two OpenClaw config paths channels.onebot.wsUrl and channels.onebot.httpUrl. Optional items mentioned in the docs (ffmpeg, pilk/uv) are reasonable for the documented voice pipeline and are not listed as required env secrets.
Instruction Scope: noteSKILL.md is mostly scoped to building/installing the plugin and updating openclaw.json (setting wsUrl/httpUrl/accessToken/sharedDir). It instructs running local scripts (bash scripts/install.sh, npm scripts, scripts/sync-openclaw-cli.mjs) and OpenClaw CLI commands. Those actions are expected for this plugin, but the docs ask the user/agent to execute repository scripts that can run arbitrary code — the repo's scripts should be inspected/verified before execution.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only). Installation is via repository-provided bash/npm scripts and openclaw CLI. This avoids remote binary downloads in the skill metadata, but npm/shell scripts in the package will execute on the host if run — review package scripts and install.sh prior to running to avoid unexpected actions.
Credentials: noteThe skill does not request any secrets from the registry metadata; it requires two config paths (wsUrl/httpUrl) appropriate for a OneBot channel. The docs mention an optional ONEBOT_ACCESS_TOKEN (expected). The plugin uses a sharedDir/containerSharedDir to stage media — this gives the plugin/agent access to files in that host path and should be limited to a dedicated directory with minimal permissions.
Persistence & Privilege: okalways: false and default autonomous invocation are set (normal). The skill will be installed as an OpenClaw plugin via openclaw plugins install and writes plugin entries into OpenClaw-managed config — expected for a channel plugin. It does not request elevated platform privileges in the metadata.