Pluginv2026.3.22

ClawScan security

Matrix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 23, 2026, 9:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package appears to implement a Matrix channel plugin and its code, dependencies, and runtime behavior match that purpose; there are no obvious mismatches or covert exfiltration mechanisms in the provided files.
Guidance: This plugin is coherent with its stated purpose (Matrix channel integration). Before installing: 1) Decide which Matrix auth mode you'll use — password/token or env-backed — and avoid setting broad MATRIX_* env vars if you don't want the plugin to pick them up. 2) Review where your agent stores state/config (stateDir) because access tokens or derived credentials may be written there; consider using a dedicated Matrix service account with limited privileges. 3) Install from the official npm/registry source you trust and review package.json and the code (already provided) if you need to confirm no network endpoints beyond Matrix homeservers are contacted. 4) Because the plugin can be invoked autonomously by the agent (default behavior), ensure you trust the plugin and the homeserver accounts it will use; rotate tokens if you stop using the plugin. If you want tighter guarantees, run the plugin in a sandboxed agent or review the specific files that handle credential storage and network calls (resolveMatrixAuth, MatrixAuthedHttpClient, resolveMatrixCredentialsPath).
Findings: [system-prompt-override] unexpected: A prompt-injection pattern was detected in the SKILL.md scanner. The SKILL.md content provided is package.json and openclaw metadata; this is likely a false positive from the regex scanner rather than an actual system-prompt override attempt. Still, the finding should be treated as a signal to review any free-form README or runtime instructions for unusual prompt-mangling text.

Review Dimensions

Purpose & Capability: okName/description match the code and declared dependencies (matrix-js-sdk, matrix-sdk-crypto-nodejs, fake-indexeddb, etc.). The code is Matrix-specific (clients, directory lookups, crypto bootstrap, onboarding, CLI) and the requested npm deps are consistent with that functionality.
Instruction Scope: noteSKILL.md (package.json content) and runtime code instruct the plugin to read/writes its own OpenClaw config and stateDir, read optional Matrix-related env vars (e.g., MATRIX_*), and call Matrix homeserver APIs. This is expected for a channel plugin but the registry metadata lists no required env vars while the code conditionally uses environment variables for auth; users should note the plugin will read those env vars if present and will persist credentials to the agent's state directory.
Install Mechanism: okNo external download URLs or extract steps are present. Dependencies are standard npm packages. The package includes openclaw.install metadata pointing to an npm spec/local path, which is appropriate for an OpenClaw plugin.
Credentials: noteThe skill declares no required env vars, but the code supports optional MATRIX_* env vars for env-backed accounts and will read those if present. It also stores credentials under the agent stateDir (functions resolveMatrixCredentialsPath / resolveMatrixAccountStorageRoot). This behavior is proportional to a Matrix channel plugin but users should be aware tokens may be written to disk by the plugin.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges. It registers gateway methods and CLI hooks and reads/writes its own config/state via the plugin runtime API — expected behavior for a channel plugin and scoped to the plugin's config/state.