ClawHub

Openqq

Security checks across malware telemetry and agentic risk

Overview

This QQ bot appears to do what it advertises, but it lets QQ messages automatically drive a local OpenClaw agent and keeps detailed chat logs, so users should review it carefully before installing.

Install only if you intend QQ users who can message or @ the bot to influence a local OpenClaw agent. Run it under a dedicated low-privilege account, do not use the root systemd example, restrict who can reach the bot, reduce logging to `info` or `error` in production, protect or shorten log retention, and review OpenClaw tool permissions before connecting it to real QQ chats.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly provides a systemd unit running the bot as User=root, which unnecessarily grants the bot full system privileges. If the bot process, its dependencies, or message-handling path are compromised, an attacker could gain complete control of the host, making any application-layer bug far more severe.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description advertises AI auto-reply, session isolation, and comprehensive logging, but it does not clearly warn users that QQ chat content will be transmitted to external services and stored in logs or conversation history. This is dangerous because users may unknowingly expose private messages, group content, or identifiers to third-party systems and persistent local storage without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The logger records full session messages sent to and received from OpenClaw into a debug log on disk. In a chat bot context, these messages can contain sensitive user content, prompts, secrets, or personal data, and the current sanitization only masks a narrow set of token patterns, making data exposure likely if logs are accessed or retained insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The logger stores API request parameters and response data verbatim in debug logs, which can include access tokens, identifiers, prompts, user data, or upstream service responses. Because sanitization is only applied to the top-level message string and not to nested params/response objects, sensitive values are likely written to disk unredacted.

Ssd 3

Medium
Confidence
96% confidence
Finding
The bot logs full message content along with user and group identifiers before sending it to OpenClaw. In a private-chat and group-bot context, this creates a real data leakage risk because sensitive user content may be written to persistent logs accessible to operators, backups, or other processes.

Ssd 3

Medium
Confidence
97% confidence
Finding
The code persists complete user-to-agent interactions by calling `logger.logOpenClawInteraction(messageWithSender, openclawReply)`, which captures both user input and model output. This is dangerous because private conversations, prompts, secrets, and generated sensitive content can accumulate in logs and be exposed through log access, compromise, or over-retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal