Pluginv0.1.1-beta.12

ClawScan security

Kichi Forwarder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:41 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, declared inputs, and runtime instructions are coherent with a Kichi avatar-forwarder; the main concerns are that it writes per-agent state under the user home and the instructions ask the agent to edit a project HEAR TBEAT.md (workspace file) during onboarding, and a prompt-injection scanner flagged unicode control characters in the SKILL.md which should be checked before trusting remote load/install.
Guidance: This plugin appears to do what it says: it connects an OpenClaw agent to Kichi and stores state (host, avatarId, authKey) under ~/.openclaw/kichi-world per agent. Before installing, consider: 1) Only install in environments you trust because the plugin runs in-process with the gateway and persists auth keys locally. 2) The onboarding flow instructs the agent to update a workspace file (HEARTBEAT.md) — confirm you permit automatic edits to your project files or decline that step. 3) The scanner found unicode control characters in the SKILL.md/packaged docs — examine the SKILL.md (and the remote GitHub Pages copy, if using remote install) for hidden characters or unexpected content before allowing an automatic remote install. If you want higher assurance, inspect the published repository (code files shown are consistent with the stated purpose), run the package install from a local .tgz (npm pack) rather than allowing remote-only install, and review the runtime identity/authKey files after a test connect.
Findings: [unicode-control-chars] unexpected: The pre-scan flagged unicode control characters inside the provided SKILL.md content (or embedded assets). This could be an innocuous artifact (e.g., BOM or embedded metadata in assets) but may also be used for prompt-injection or hidden instructions when the skill is loaded remotely. It's not needed for a forwarder and should be inspected before allowing remote SKILL.md execution.

Review Dimensions

Purpose & Capability: okName/description (Kichi avatar control, status sync, notes, music) matches the code and tool schemas. The package includes a websocket dependency (ws) and reads/writes local runtime state under ~/.openclaw/kichi-world, which is expected for a per-agent forwarder. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md and accompanying references instruct the agent to install the plugin, read remote install/heartbeat docs when loaded remotely, and to update a workspace file (HEARTBEAT.md) as part of onboarding. Editing workspace files is out-of-band for a pure websocket forwarder and should only be done with explicit user consent. The skill also directs reading of local identity files and writing authKey/avatarId into per-agent identity.json; that behaviour is coherent but impacts user home and workspace files.
Install Mechanism: okThere is no opaque remote binary download in the install spec. The manifest references installation via the platform's 'openclaw plugins install' and/or npm pack; remote URLs used for pre-install discovery are GitHub Pages (yahaha-studio.github.io), a standard hosting location. The package uses an npm dependency (ws) — expected for websocket-based integration.
Credentials: okThe skill declares no required environment variables or external credentials in the registry metadata. It stores host/avatarId/authKey locally in per-agent files; that is necessary for its stated purpose. It references other local agent files (IDENTITY.md/SOUL.md) as sources for botName/bio — reasonable for a companion plugin but users should confirm those files are safe to expose to the plugin.
Persistence & Privilege: notealways:false and autonomous invocation are normal. The plugin runs in-process with the OpenClaw Gateway and persists per-agent state under the user home directory; that level of persistence is expected for this function but increases risk if installed in an untrusted environment. The onboarding instructions also direct the agent to update a workspace file (HEARTBEAT.md) — this file-write behavior should be consented to by the user.