Skillv1.0.5

ClawScan security

testskill-0410repo123 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:44 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill implements QQ/OneBot group admin features as described but contains a hardcoded WebSocket access token and an undocumented ability to read arbitrary local files and send their contents to the configured WebSocket endpoint — these are disproportionate and risky.
Guidance: Before installing or enabling this skill: - Treat the hardcoded WS token in scripts as a red flag. Do not assume it is harmless — rotate or remove it, and verify whether it is valid in your environment. - The script can read any local file when a parameter value starts with '@/path'. If ONEBOT_WS_URL is set to a remote host, that file content will be sent to the remote endpoint. Only use the skill in a trusted, network-isolated environment or after removing the @/ read capability. - If you need this functionality, prefer explicitly-supplied credentials (declared env vars) rather than embedded secrets. Ask the author to remove the hardcoded token and declare required env variables in the metadata. - Audit the script source yourself (or in a sandbox) to ensure the WS endpoint is localhost and the token is your own, not a built-in secret. Consider running in a restricted container or VM and avoid running on sensitive hosts with secrets accessible under well-known paths. - If you installed this skill already and the embedded token might be real, rotate any affected tokens/credentials and check logs for unexpected outbound connections to non-local WS endpoints.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (OneBot QQ group admin) matches the script functionality (calls OneBot actions via WebSocket). However the script contains a hardcoded WS token and an explicit NODE_PATH tweak pointing into a root user node_modules path; neither is necessary for the stated purpose and both reduce transparency. The ability to read arbitrary files (see parseArgs '@/path' behavior) is beyond typical admin action needs except for explicitly uploading an avatar, and that capability is not clearly documented in SKILL.md.
Instruction Scope: concernSKILL.md instructs running the included Node script against a OneBot WebSocket and documents ONEBOT_WS_URL/ONEBOT_WS_TOKEN overrides, which is consistent. But the script also supports key=@/path to read local files and inject their contents into the params sent over the socket; that behavior is not documented in SKILL.md for general params and enables exfiltration of arbitrary local files if the WS endpoint is remote. The default WS_URL is localhost, but the env override makes the endpoint controllable by the environment.
Install Mechanism: okNo install spec; this is an instruction-plus-script skill. Nothing is downloaded or written during install by the skill bundle itself, which limits install-time risk.
Credentials: concernRegistry metadata declares no required env vars, but the script reads ONEBOT_WS_URL and ONEBOT_WS_TOKEN from the environment. Worse, the script embeds a hardcoded default WS token ('FTubmd6pc77aX~XK'), which is a secret baked into the code. Requiring or embedding a token (without documenting it as a required credential) is disproportionate and risky.
Persistence & Privilege: okThe skill is not always:true, does not request system-wide config changes, and does not modify other skills. Autonomous invocation is allowed by default but is not combined with other elevated privileges.