Back to plugin
Pluginv1.2.12
ClawScan security
OpenClaw OneBot Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 6:44 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin implements the advertised OneBot/QQ integration and mostly behaves as described, but the runtime instructions and included code access local files and environment variables that the registry metadata does not declare — review install scripts, env var usage, and file staging behavior before installing.
- Guidance
- What to check before installing: - Inspect scripts/install.sh and scripts/sync-openclaw-cli.mjs before running; don't execute them as root. They prepare packages, call local npm, and modify OpenClaw plugin state. - Confirm you have and are willing to use the required tools the README assumes (npm/node, OpenClaw CLI, ffmpeg for voice, and 'uv'/'pilk' if using SILK). The registry metadata did not declare these — that's a mismatch. - The plugin reads these environment variables if not configured in openclaw.json: ONEBOT_WS_URL, ONEBOT_HTTP_URL, ONEBOT_ACCESS_TOKEN, ONEBOT_SHARED_DIR, ONEBOT_CONTAINER_SHARED_DIR. Set them deliberately and document them securely (access tokens are sensitive). - The plugin stages local files: it will stat/copy files into a shared directory (sharedDir) so NapCat can access them; ensure sharedDir points to a directory you control and that the plugin user has only limited read/write access. Understand that sendMedia can cause arbitrary local file paths to be copied and delivered to the configured OneBot endpoint. - Only point httpUrl/wsUrl/accessToken to a trusted NapCat/go-cqhttp instance. A malicious/compromised bot endpoint could cause sensitive content to be transmitted. - If you want a lower-risk test: run the plugin inside an isolated container with a dedicated sharedDir, and avoid enabling voice/file features until you’ve reviewed behavior. Consider asking the author to update registry metadata to declare the env vars and required binaries explicitly. - If unsure, request a maintainer-signed release on a known package registry or run a code review focusing on scripts and outbound network calls (callApi uses fetch to the configured httpUrl endpoints).
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md match the declared purpose: a OneBot 11 channel plugin for OpenClaw (NapCat/go-cqhttp integration, reactions, streaming, voice pipeline). However the SKILL.md and code expect local tooling and CLI operations (npm, bash, openclaw CLI, ffmpeg, optional 'pilk'/uv) and a writable shared directory; the registry metadata listed no required binaries or env vars. That mismatch (declaring nothing while expecting CLI tools and environment variables) is unexpected and should be clarified.
- Instruction Scope
- concernSKILL.md tells the user to run scripts/install.sh, npm install/build and openclaw plugins install and to restart the OpenClaw gateway. Those instructions will run code locally, prepare release payloads, and modify OpenClaw's plugin installs. The runtime also processes and stages arbitrary local media files (copyFile/stat/prune) to a sharedDir for NapCat. While these are needed for media/voice support, they expand scope beyond 'just messaging' — they require file read/write access and running commands on the host.
- Install Mechanism
- noteThere is no platform install spec (instruction-only at registry level) but the repository includes install/uninstall/sync scripts and npm build artifacts. The install uses local scripts (scripts/install.sh, scripts/sync-openclaw-cli.mjs). There are no downloads from unknown remote URLs in the provided files. Because the installer is a repository script (not a vetted package install), users should inspect scripts before executing.
- Credentials
- concernRegistry metadata claims no required env vars, but the code reads environment fallbacks: ONEBOT_WS_URL, ONEBOT_HTTP_URL, ONEBOT_ACCESS_TOKEN, ONEBOT_SHARED_DIR, ONEBOT_CONTAINER_SHARED_DIR. The plugin also expects an access token in config or env for OneBot HTTP/WS calls. The code will copy arbitrary absolute file paths into the shared staging directory for delivery to the bot framework — this requires write access and could expose local files if misconfigured. The required env/binary surface is larger than declared.
- Persistence & Privilege
- notealways:false (no forced global presence). The install/process will write plugin install records via openclaw plugins install and stage files under the configured sharedDir — this is normal for a channel plugin. Be aware that the skill can be invoked autonomously (platform default). Combined with file staging and outbound network calls to the configured OneBot HTTP endpoint, that increases potential impact if the endpoint or config is untrusted.