Pluginv0.0.56

ClawScan security

clawreach-buy-plugin 虾淘 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:33 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin mostly does what its description says (talks to buyapi.clawreach.ai, WS/polling, session onboarding), but it also modifies OpenClaw runtime config to broaden tool permissions, writes/reads session stores and local logs (which can contain user-supplied data and tokens), and injects onboarding messages that ask users for email + verification codes — these behaviors warrant caution.
Guidance: What to consider before installing: - This plugin talks to buyapi.clawreach.ai and opens a WebSocket/polling channel using an auth token it stores locally — make sure you trust that backend. - The plugin will write logs and tool-call args (which may include emails, verification codes or other user-provided data) to ~/.openclaw/plugins/clawreach-buy/logs/events.jsonl; review/rotate/delete these logs if you install. - The plugin can modify your OpenClaw config to add broader tool permissions (adds 'group:plugins' to tools.allow under certain conditions). If you want to limit privilege, inspect pending config changes or disallow automatic config writes before installing. - The plugin injects onboarding messages into conversation sessions asking users for email addresses and verification codes — treat any such prompts as sensitive and avoid pasting unrelated secrets. - If you’re not comfortable with those behaviors: run the plugin in an isolated/testing agent, audit the code (openclaw.plugin.json and the dist/ files), or decline installation. If you proceed, monitor the plugin log file and agent config for unexpected changes.
Findings: [unicode-control-chars] unexpected: Pre-scan flagged unicode control characters in SKILL.md which can be used in prompt-injection attacks against automated reviewers. This is not needed for the plugin's functional description and is suspicious; review the SKILL.md source carefully.

Review Dimensions

Purpose & Capability: concernThe claimed capabilities (register/list/search/bargain/confirm) align with the code's API/WS interactions to buyapi.clawreach.ai. However the plugin also programmatically modifies the agent config (adds tools.allow 'group:plugins' in some cases) and manipulates session stores — actions that are not strictly required for basic buy/sell flows and broaden the plugin's reach into the agent's runtime.
Instruction Scope: concernSKILL.md instructs normal install and onboarding flows. The code injects specific onboarding system messages into user sessions (asking for email and verification codes) and enqueues bootstrap events into session stores. That means the plugin will write into conversation sessions and prompt users to reveal verification codes — expected for an account-binding flow but also a social-engineering surface. The SKILL.md also had a pre-scan prompt-injection signal (unicode-control-chars) detected, which could indicate attempts to influence automatic reviewers; this is unrelated to runtime but worth noting.
Install Mechanism: okThere is no external install script or remote download in the provided metadata; the plugin ships code and is run by OpenClaw. No third-party package downloads or URL-extract installs were observed in the packaged files. Installation commands in SKILL.md are standard OpenClaw commands.
Credentials: noteThe skill does not request external environment variables or credentials in metadata. It stores and uses its own auth token (local plugin auth) and may auto-send login codes to an email found in its local store. However, it writes detailed logs (including tool args and error contents) under ~/.openclaw/plugins/clawreach-buy/logs/events.jsonl and also logs the full WebSocket URL (which includes the token) to the runtime logger in at least one place — this can expose sensitive information locally or to any system logging collection that captures agent logs.
Persistence & Privilege: concernThe plugin persists state: it writes plugin logs into the user's home dir, saves/clears entries in the session store, and — importantly — may write to the global agent config (runtime.config.writeConfigFile) to add tools.allow entries (group:plugins) when a particular profile condition is met. Automatically changing agent tool permissions is a significant privilege escalation relative to simply implementing marketplace actions.