ClawHub

onebot QQ群管理

Security checks across malware telemetry and agentic risk

Overview

This QQ group admin skill is useful for its stated purpose, but it gives broad bot-control power with weak boundaries and an embedded default token.

Install only if you trust the publisher and intend to let an agent control a QQ bot with administrator powers. Before use, remove the embedded fallback token, configure your own OneBot token explicitly, restrict the script to approved group-management actions, avoid the @/path/to/file parameter form, and require explicit confirmation for kicks, mutes, admin changes, message deletion, and public group updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented examples extend beyond the stated scope into profile modification, avatar changes, message deletion, and information retrieval. This inconsistency broadens the practical authority of the skill and can lead users or orchestrators to trigger more invasive actions than they would expect from a narrowly described group-admin tool.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script explicitly advertises itself as a caller for arbitrary OneBot APIs, which exceeds the declared group-admin scope of the skill. In an agent setting, this creates a capability mismatch: callers may invoke unrelated or more sensitive bot actions than users and policy expect, undermining least privilege and enabling unauthorized operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code takes any user-supplied action string and forwards it directly to the OneBot WebSocket endpoint without validation. This gives the skill a generic remote-control surface over the bot/API rather than a constrained group-management interface, allowing misuse for unintended actions if the connected OneBot implementation supports them.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The @/path/to/file syntax permits arbitrary local file reads and inserts the contents into API parameters, creating an exfiltration primitive. Because those parameters are later sent over the WebSocket connection, an attacker who can influence arguments can cause sensitive local files to be disclosed to the OneBot service or downstream recipients.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation frames the tool as a generic 'any OneBot API' invoker, which contradicts the manifest's narrower group-admin purpose. In an agent ecosystem, misleading documentation increases the chance the skill will be used with broader privileges than intended and normalizes unsafe pass-through behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase `群管理` is overly broad and can match casual conversation or ambiguous requests, increasing the chance that this high-impact admin skill is selected when a safer or more specific skill should be used. In context, accidental invocation is especially risky because the skill can perform destructive group operations like kick, mute, and announcement changes.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill advertises multiple irreversible or disruptive operations—kicking users, muting, whole-group mute, and message deletion—without a prominent consolidated warning about side effects and required authorization. In this context, the lack of strong UX and policy warnings increases the chance of accidental misuse of privileged bot capabilities against group members or content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code reads arbitrary local file content and silently includes it in outbound API parameters, with no disclosure that local data will be transmitted. In the context of an agent skill, that combination materially increases the risk of stealthy data exfiltration from the host environment.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal