Pluginv0.5.1

ClawScan security

Keatz · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 27, 2026, 3:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code matches its stated purpose (pair, poll, forward messages, and respond) but there are unexplained elements — notably a default backend URL that is not an obvious official Keatz domain, ambiguous install metadata, and the plugin will persist a channel token into the agent config — so you should verify the backend and publisher before installing.
Guidance: This plugin does what it says — it pairs via a code, polls a backend, forwards incoming messages into your agent, and sends replies back — but you should verify a few things before installing: 1) Confirm the backend URL (DEFAULT_BACKEND_URL) is an official Keatz endpoint you trust; the current default is a vercel.app host that may be a third-party service. 2) Understand that after pairing a persistent channel token is saved into your agent's config and will be used to authenticate to that backend; if you don't trust the backend, do not allow auto-saving or do not install. 3) Check the install source the OpenClaw client will use (package name/npmSpec), because the package.json metadata looks generic; only install from a verified publisher or an official registry entry. 4) If privacy is a concern, inspect network traffic or run the plugin in an isolated/test agent first so you can observe where messages go. If you can, ask the publisher for a homepage or canonical repository and for confirmation that the backend domain is the official Keatz service.

Review Dimensions

Purpose & Capability: concernName/description and code align: the plugin pairs with a code, long-polls a backend, routes messages through the agent, and posts replies. However the DEFAULT_BACKEND_URL (https://backend-green-ten-81.vercel.app/api/v1) is a third-party/vercel domain not clearly tied to Keatz, and the package has no homepage or authoritative vendor listed. That mismatch (external backend + no official site) is disproportionate to expectations for an official channel integration and raises privacy/trust concerns. Also openclaw.plugin.json version (0.3.2) differs from package.json version (0.5.1), a minor inconsistency.
Instruction Scope: noteSKILL.md instructs pairing via a single-use code and installing the plugin; it does not request unrelated files or env vars. The runtime instructions and code will forward message content and history to the configured backend and will route the backend's messages into the agent pipeline. This behavior is expected for a messaging channel, but it means private chat content will transit and be stored/processed by the backend — confirm you trust that endpoint.
Install Mechanism: noteRegistry metadata shows no platform install spec (instruction-only), and there is no download-from-URL or extract step in the scan — that reduces install risk. However package.json contains openclaw.install entries including an npmSpec value of "datingapp" and clawHubSpec that could direct an installer to fetch a package name that looks generic/ambiguous; verify the actual install source the platform will use to avoid pulling a different package.
Credentials: concernThe skill declares no required env vars or external credentials, which is appropriate. But at runtime it acquires and persistently stores a channelToken (a credential) into the agent's gateway config via config.patch, and then uses that token to authenticate to the backend. Storing a token in global config and sending user messages to a default third-party backend is a sensitive action — ensure the backend is trusted and you accept storing that token in your agent config.
Persistence & Privilege: notealways:false (normal). The plugin registers a background polling service (autonomous invocation) and auto-saves its own channelToken into plugins.entries.datingapp.config using the gateway's config.patch RPC. Modifying its own plugin config is normal, but it does write persistent auth state into the agent configuration — review whether you want that token persisted.