@openclaw/qqbot
OpenClaw QQ Bot channel plugin
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to bundledDependencies (silk-wasm, zod, ws) being included in the package; expected for this plugin. | ai | |
| source-diff | obfuscated-file:node_modules/silk-wasm/lib/index.cjs | AI (source-diff): silk-wasm is a legitimate WASM audio codec library; minified bundle is expected for this package. | ai | |
| source-diff | net-exec-file:node_modules/silk-wasm/lib/index.cjs | AI (source-diff): Network-like patterns are WASM file loading via fs.readFileSync, not remote code execution; standard WASM loader pattern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 775 new files are bundled dependency sources (zod, silk-wasm); consistent with bundledDependencies declaration. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Used in a log-helper to enumerate env vars for diagnostic output; not exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IPs appear only in test files explicitly testing SSRF-blocking behavior, not production code. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes base64 image data from data URIs to determine image dimensions; not a payload loader. | ai | |
| dependencies | unvetted-dep:silk-wasm | AI (dependencies): silk-wasm is a legitimate audio codec library appropriate for a QQ Bot plugin handling voice messages. | ai | |
| dependencies | unvetted-dep:@tencent-connect/qqbot-connector | AI (dependencies): Official Tencent QQ Bot connector package; expected dependency for this channel plugin. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 2026.6.1 | 5 / 0 | |
| 2026.5.28 | 5 / 0 | |
| 2026.5.27 | 5 / 0 | |
| 2026.5.26 | 5 / 0 | |
| 2026.5.22 | 5 / 0 | |
| 2026.5.20 | 5 / 3 | |
| 2026.5.19 | 5 / 3 | |
| 2026.5.18 | 5 / 3 | |
| 2026.5.12 | 5 / 3 | |
| 2026.5.7 | 5 / 3 | |
| 2026.5.6 | 5 / 3 | |
| 2026.5.5 | 5 / 3 | |
| 2026.5.4 | 5 / 3 | |
| 2026.5.3 | 5 / 3 | |
| 2026.5.2 | 5 / 3 |
v2026.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.26
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.