Pluginv0.1.2

ClawScan security

Openclaw A2a Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 12:00 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, documentation, and runtime instructions are consistent with an OpenClaw A2A networking plugin; it asks for no unrelated secrets and its behaviours align with the description, though the package has a large transitive dependency footprint and will accept inbound network messages and save files locally (which you should consider before enabling).
Guidance: This plugin appears to implement what it claims: agent-to-agent messaging, inbound server features, and file transfer. Before installing: (1) Understand that inbound messages can include files which the plugin will save locally — only enable inbound access for agents you trust. (2) Review any configured remote agents and custom headers (don't place secrets in config files; prefer environment substitution). (3) If you're concerned about third-party libraries, inspect the package's dependency list (bun.lock/package.json) — there are many transitive SDKs which enlarge the attack surface even if not actively used. (4) Run the plugin in a sandboxed or least-privileged environment (or restrict inbound to a tailnet/Tailscale) until you are confident with its behavior.

Review Dimensions

Purpose & Capability: okThe name/description match what the package implements: outbound tools, inbound server, Agent Card discovery, file transfer, and Tailscale integration. The included source files and dist artifacts implement parsing, inbound auth, and outbound tooling consistent with the described features. One note: the lockfile contains many transitive SDKs (AWS-related credential providers, Anthropic, etc.) — these are likely from upstream dependencies (for optional cloud/LLM integrations) and not explicit requests by the plugin, but they increase the code surface.
Instruction Scope: noteSKILL.md stays on-scope: installation is via the OpenClaw plugin installer and runtime instructions cover outbound/inbound configuration. It explicitly documents that inbound files are saved locally and that header values support ${ENV_VAR} substitution. There are no instructions to read unrelated host files or harvest environment variables, but because inbound messages can include files and the plugin will save them, users should be aware of accepting data from remote agents.
Install Mechanism: okNo custom install spec is provided (installation uses the OpenClaw plugin mechanism). All code is bundled in the package (source and dist), and there are no downloads from arbitrary URLs or extract steps in the manifest. The distribution appears to be a normal npm-style package.
Credentials: noteThe skill declares no required environment variables or credentials. It supports ${ENV_VAR} substitution for custom headers (an optional, expected feature). The lockfile lists AWS credential-provider and other SDKs as transitive deps; these do not imply the plugin will read or exfiltrate your AWS credentials by default, but they increase the set of libraries that could, if misused, access environment-provided credentials. In short: declared env access is minimal and proportional, but review any custom header usage and be cautious about optional integrations that might use cloud SDKs.
Persistence & Privilege: okalways is false and the plugin can be user-invoked or autonomously invoked per platform defaults. It does not request to be always-enabled or to modify other skills' configs. Note: any plugin that can make outbound network requests and accept inbound connections naturally has a larger blast radius if compromised — this is expected for a networking plugin and not itself a misconfiguration in the manifest.