Back to plugin
Pluginv1.1.0
ClawScan security
GLM Search & Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 1:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin's code and runtime instructions match its stated purpose (GLM/Z.AI web search, page reader, and GitHub reader) and the required API key access is proportionate, with no unusual install steps or third‑party downloads.
- Guidance
- This plugin legitimately needs a GLM/Z.AI API key because it forwards requests to Z.AI / open.bigmodel.cn MCP endpoints; provide a dedicated API key with limited scope if possible. Note the package metadata did not declare the required env vars — you must set Z_AI_API_KEY (or one of the alternate names) in the OpenClaw gateway. Review the endpoints (api.z.ai and open.bigmodel.cn) if you need to enforce network policies, and monitor API key usage after installing. If you do not trust those external services or prefer not to expose page content to them, do not install the plugin.
Review Dimensions
- Purpose & Capability
- noteThe plugin implements web search, a web page reader, and a GitHub repo reader that call GLM/Z.AI MCP endpoints — this aligns with the name/description. Minor mismatch: the registry metadata lists no required environment variables, but both the code and SKILL.md expect a GLM/Z.AI API key (Z_AI_API_KEY, ZAI_API_KEY, GLM_API_KEY, or ZHIPU_API_KEY).
- Instruction Scope
- okSKILL.md only instructs installing the plugin and configuring an API key/optional region. The runtime code uses that API key to call Z.AI / open.bigmodel.cn MCP endpoints to perform the stated tasks and does not reference unrelated system files or credentials.
- Install Mechanism
- okNo install script that downloads arbitrary code is included — this is an instruction/code bundle that runs inside the OpenClaw gateway. All network calls target documented GLM/Z.AI endpoints (api.z.ai and open.bigmodel.cn).
- Credentials
- noteThe plugin requires a GLM/Z.AI API key (the code checks several env var names). That is appropriate for its function. Note: the plugin metadata did not declare these env vars as required, so you must provision the key in the gateway environment manually. The plugin does not request other unrelated credentials.
- Persistence & Privilege
- okalways is false and the plugin does not request elevated platform privileges or modify other skills' configurations. It can be invoked autonomously (the normal default) but there are no additional privileged behaviors present in the code.