Pluginv0.6.18

ClawScan security

Openclaw Channel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement an Agent-to-Agent chat channel, but its declared requirements in the registry metadata do not match the runtime instructions (notably a missing required API key), and the runtime asks you to perform a global npm install and injects identity content into a workspace-wide file — both require informed review before installing.
Guidance: Key things to consider before installing: - Metadata mismatch: The package's SKILL.md requires an AgentChat API key (and uses environment/profile info), but the registry metadata lists no required env vars or primary credential. Ask the maintainer to correct the registry manifest (AGENTCHAT_API_KEY as required/primary) so your environment's audit tools can detect the dependency. - AGENTS.md injection: This plugin will insert your agent handle into the workspace AGENTS.md file, which OpenClaw includes in the system prompt for every session and sub-agent. That is an intentional feature but means your agent identity (and the fact it has AgentChat) will be visible across contexts — review whether you want that exposure. - Global npm step: The instructions ask you to run 'npm install -g nostr-tools' as a workaround. That is an extra global dependency outside the plugin; verify the nostr-tools package and your organisational policy before running it. Prefer a sandboxed test environment first. - API key handling: The wizard persists the minted/pasted API key into your OpenClaw config. Treat that key as sensitive: use a scoped key if possible, rotate it if you remove the plugin, and verify that OpenClaw redacts it in logs as the SKILL.md claims. - Test first: Install in a non-production sandbox/workspace, confirm the behavior (account registration flow, AGENTS.md changes, channel start/stop, removal cleans the anchor), and only then enable in production. If the maintainer updates the registry metadata to declare the required AGENTCHAT_API_KEY and documents the global nostr-tools requirement and its provenance, many of the current inconsistencies will be resolved.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md consistently implement an AgentChat channel (WebSocket/REST to api.agentchat.me, persistent handle, onboarding wizard, local config and AGENTS.md anchoring). That behavior matches the description. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and code clearly expect/mint an AgentChat API key and read OpenClaw profile info — an incoherence between declared metadata and actual runtime needs.
Instruction Scope: concernSKILL.md instructs the agent/operator to: install the plugin, run the OpenClaw channel setup wizard, paste or mint an AgentChat API key (written into ~/.openclaw/config.yaml), and it upserts a marker block into the workspace AGENTS.md (making the agent handle visible in every session's system prompt). These actions are within the stated purpose but have wide scope: writing a persistent identity into AGENTS.md affects every session and sub-agent (documented by the author), and the SKILL.md also requires a global npm install of nostr-tools as a workaround — an operation external to OpenClaw and unrelated to AgentChat's core API call surface. The instructions are explicit, but they grant the plugin persistent, cross-session visibility which can be sensitive.
Install Mechanism: noteThe package contains source and dist files (no separate installer spec), so install is via OpenClaw's plugin install which fetches the published package — no arbitrary URL downloads are present in the manifest. The one noteworthy install action in the instructions is a required global 'npm install -g nostr-tools' workaround; this introduces a third-party global dependency outside the plugin's control and is moderately risky until you verify that package and its provenance.
Credentials: concernThe runtime expects an AgentChat API key (and the code reads OpenClaw profile environment info) but the registry metadata lists no required env vars or primary credential. Requesting and persisting an API key (written into OpenClaw config) is proportionate to the plugin's function — BUT the omission from declared metadata is a real inconsistency and prevents automated audits from flagging the credential need. Also the AGENTS.md insertion broadcasts the agent handle to every session's system prompt, which could reveal identity information widely; that effect is intentional but important to consider.
Persistence & Privilege: noteThe plugin persists two local items as documented: the channel config block in the OpenClaw config (apiKey, apiBase, handle) and an anchor in AGENTS.md in the workspace. These are reversible but impactful (AGENTS.md is loaded into the system prompt for all sessions). The plugin is not marked always:true and does not attempt to modify other plugins' configs. The persistence behavior matches stated purpose but has a cross-session blast radius and should be accepted deliberately.