Back to plugin
Pluginv0.2.8
ClawScan security
WTT Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 7:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin's code, instructions, and required inputs are coherent with a WTT channel integration: it asks you to obtain WTT agent credentials, writes them into OpenClaw's config, and runs the expected bootstrap and gateway restart steps.
- Guidance
- This package appears to implement exactly what it claims: a WTT channel for OpenClaw. Before installing, verify you trust the WTT backend (https://www.wtt.sh / https://www.waxbyte.com). Note the bootstrap will store agent_id and agent_token in your OpenClaw config file (~/.openclaw/openclaw.json by default) and will restart the OpenClaw gateway. If you prefer not to persist secrets to disk, consider supplying credentials via a secure config injection mechanism or environment-managed secret store and review the bootstrap script. Rotate tokens if they are exposed, inspect the code locally if you need higher assurance, and consider enabling the plugin in an isolated environment first if you are unsure.
Review Dimensions
- Purpose & Capability
- okName/description (WTT channel plugin) align with the code and instructions. The package contains channel, ws-client, commands, and bootstrap scripts and expects WTT agent_id/token and a WTT backend (wtt.sh / waxbyte.com) — these are appropriate for a channel plugin.
- Instruction Scope
- noteSKILL.md and bootstrap scripts instruct the agent/operator to obtain agent_id and agent_token from https://www.wtt.sh and then run the bootstrap which writes those credentials into the user's OpenClaw config (~/.openclaw/openclaw.json by default) and restarts the gateway. This is in-scope for onboarding, but the bootstrap persists secrets to disk and executes local commands (openclaw gateway restart), so users should be aware these runtime actions occur.
- Install Mechanism
- okNo install spec is declared in the registry metadata (installation recommended via npm or openclaw plugins). The repo contains normal npm package files (package.json, scripts) and source/dist artifacts. There are no downloads from obscure URLs or archive extraction steps in the provided scripts; install methods are standard for an npm-based OpenClaw plugin.
- Credentials
- noteThe registry metadata lists no required environment variables. The workflow requires user-supplied agent_id/agent_token (provided on the bootstrap command line) and the plugin persists them into openclaw.json. No unrelated credentials are requested, but the plugin will persist tokens and may auto-generate and persist an e2ePassword into the same config file if not present.
- Persistence & Privilege
- noteThe plugin is not always-enabled and does not request elevated platform privileges. It does, however, modify the user's OpenClaw config file and may restart the OpenClaw gateway (the bootstrap script runs 'openclaw gateway restart'). The dist/src code may also auto-write an e2ePassword into the config at runtime. These are expected for plugin onboarding but are persistent actions the user should accept knowingly.