Pluginv3.0.10

ClawScan security

KinthAI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 6:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin largely matches its stated purpose (connect OpenClaw agents to kinthai.ai) but it makes global config changes, exposes remote admin file-read/write over the channel, and includes an updater — these behaviors are explainable but deserve caution before install.
Guidance: This plugin appears to do what it claims (connect OpenClaw to kinthai.ai) but it also makes global config changes, stores tokens locally, accepts remote admin commands, and can read/write certain workspace files. Before installing: 1) Verify you trust the upstream (https://kinthai.ai) and the package owner; 2) Review the updater code and consider network egress controls if you don't want automatic downloads; 3) Back up your OpenClaw config and inspect the token file location after install; 4) Accept that the plugin will attempt to add 'kinthai_*' to tools.alsoAllow (exposing additional tools to your LLMs) — if you prefer manual control, skip the auto-patch and add the pattern yourself; 5) If you host sensitive secrets in workspace markdown files, audit which files are readable by the plugin's whitelist (IDENTITY.md, MEMORY.md, etc.) and move secrets out of those files. If you need lower risk, install in a test environment first or require manual approval for updates.

Review Dimensions

Purpose & Capability: noteName/description (KinthAI channel) align with the code: HTTP/WebSocket client, file upload, token management, agent registration. However the plugin also idempotently patches global OpenClaw config (adds 'kinthai_*' to tools.alsoAllow) and provides remote admin (file_request/file_push) and updater capabilities — these are plausible for a channel but are broader privileges than a simple messaging adapter.
Instruction Scope: noteSKILL.md instructions match the code: npx installer writes channels.kinthai.email, restarts gateway, tokens stored at ~/.openclaw/credentials/kinthai/.tokens.json, and agents register with the KinthAI API. The runtime behavior includes handling remote admin.file_request and admin.file_push events (reading/writing whitelisted workspace files) and remote admin commands (upgrade/restart). Instructions properly warn not to run installer inside an agent sandbox.
Install Mechanism: noteNo registry 'install' spec in the manifest, but package contains an npx/bin installer (scripts/setup.mjs) and references an updater module. Using npx/npm is normal but means code is fetched from the package registry at install time. The presence of an updater (updater-download/updater.js) implies the plugin can fetch/perform upgrades later — expected for managed plugins but increases runtime code-fetch surface.
Credentials: noteThe plugin declares no required env vars or external credentials in registry metadata; it stores agent API tokens under ~/.openclaw/credentials/kinthai/.tokens.json (expected for a channel). It accesses agent workspace files but the file-sync module enforces a whitelist and a blacklist (blocks .tokens.json, .env, device.json, plugin manifest). Requesting to write a config key (channels.kinthai.email) and to add 'kinthai_*' to tools.alsoAllow is within scope but is a privileged change to global config.
Persistence & Privilege: concernPlugin modifies global OpenClaw configuration (writeConfigFile) to append kinthai_* to tools.alsoAllow and the installer restarts the gateway. It provides remote admin capabilities (file_request/file_push limited by whitelist) and an updater mechanism. These are plausible for a channel but combined give long-lived privileges (config mutation + remote file ops + auto-update) that increase risk if the remote backend or plugin supply chain is compromised.