Pluginv0.3.79

ClawScan security

liangzimixin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 6:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and declared configuration generally match a quantum-encrypted IM channel, but there are packaging/injection red flags (hidden/unexpected characters in the SKILL.md, missing referenced files in package.json, and large minified/binary bundles) that warrant manual review before installing into production.
Guidance: Before installing: (1) Inspect the raw SKILL.md bytes for invisible/control characters or embedded base64 content and remove or reject if unexpected. (2) Audit the bundled artifacts (index.cjs, setup-entry.cjs, quantum-sdk/libqss.wasm) — because they are minified/bundled and include a WASM crypto library, review or demand source maps/original sources; run the wasm through a wasm analyzer if possible. (3) Verify package contents vs package.json (package.json lists scripts and dist/ that are not present) — ask the maintainer for a clean, reproducible release if this is concerning. (4) If you plan to use in production, run the plugin in an isolated environment (staging / sandbox) with test credentials and monitor outbound network connections to ensure it only talks to the configured endpoints. (5) Store appSecret/quantum secrets in your platform's secure secrets store (do not place plaintext secrets in general config files). If you are not able to perform these checks or obtain unobfuscated source, treat the package as untrusted.
Findings: [base64-block] unexpected: Scanner flagged a base64-block pattern in SKILL.md. The visible markdown contains only normal install/config instructions, so this is either a false positive or indicates hidden/encoded content in the SKILL.md bytes that should be inspected before trusting the file. [unicode-control-chars] unexpected: Scanner found unicode control characters inside SKILL.md. Control chars can be used to obscure text or inject invisible commands; the visible content looks normal, so this warrants a manual byte-level review of SKILL.md to confirm there is no hidden payload or tampering.

Review Dimensions

Purpose & Capability: noteName/description match the implementation: the package includes a WebSocket client, OAuth client, file upload/segmenting logic and a bundled quantum crypto SDK (WASM). The runtime configuration schema expects appId/appSecret and environment choices consistent with an IM channel plugin. Minor inconsistency: package.json.files references scripts (scripts/liangzimixin_install.sh, .bat) and a dist/ folder that are NOT present in the provided file manifest — this is a packaging mismatch worth checking (may be benign packaging omission, but it is an inconsistency).
Instruction Scope: concernSKILL.md only instructs installing the plugin and adding OpenClaw config (expected). However the pre-scan detected 'base64-block' and 'unicode-control-chars' patterns in SKILL.md (possible prompt-injection / hidden-control characters). The visible SKILL.md text is benign, but hidden control chars could be used to manipulate downstream tooling or hide content. Because the runtime instructions are the primary attack surface for instruction-only skills, the presence of these patterns is a concrete concern that requires human inspection of the raw SKILL.md bytes.
Install Mechanism: noteNo install spec is declared (instruction-only), but the published package contains large bundled/minified CommonJS files and a WASM binary. Bundled/minified code and included WASM are expected for a crypto plugin, but they are hard to audit. The package does not download remote code at install time; code is local in the package (no external extract URLs). This is lower risk than arbitrary remote downloads but increases the need to audit the bundled artifacts (index.cjs, setup-entry.cjs, quantum-sdk/libqss.wasm) for hidden behavior.
Credentials: okThe plugin expects API credentials (appId/appSecret/etc.) provided via OpenClaw configuration (openclaw.plugin.json schema). It does not request unrelated cloud credentials, global env vars, or config paths in the metadata. The declared lack of required environment variables is consistent with a model where secrets are supplied in OpenClaw's per-plugin config. The internal config supports reading crypto keys from env or file but that is optional in the schema; no unrelated credentials are requested.
Persistence & Privilege: okFlags show always:false and default autonomous invocation allowed (normal). The plugin registers a channel and setup entry and does not declare any requirement to modify other plugins or system-wide agent settings. Nothing requests permanent elevated platform-wide privileges.