Pluginv0.3.5

ClawScan security

R2 Relay Channel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 10:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, configuration requirements, and runtime instructions are consistent with its stated purpose (an OpenClaw channel that uses Cloudflare R2 as an object-store relay); it asks for the expected R2 credentials and writes local state/config files for operation.
Guidance: This plugin appears to do what it says: use Cloudflare R2 as a message relay. Before installing, consider: (1) You must provide an R2 endpoint, bucket, access key ID and secret—create a least-privilege key that can only access the specific bucket and required object prefixes. (2) The plugin writes its config and state (including the secret access key) in plaintext under the OpenClaw state dir (default: ~/.openclaw/plugins/r2-relay-channel). Ensure filesystem permissions and backups are appropriate, and treat that file as sensitive. (3) The plugin will upload agent-produced local files referenced in messages — only enable it in workspaces and with buckets you trust. (4) The webhook/cron delivery uses OpenClaw's cron.webhookToken for authentication; ensure that token is rotated and restricted as needed. (5) If you have compliance concerns, review the buildRelayAttachments and related source (dist/channel.js, dist/setup.js, dist/runtime.js, dist/service.js) so you understand exactly what is read and uploaded. If anything looks unexpected, do not install and request further review.

Review Dimensions

Purpose & Capability: okName/description claim a Cloudflare R2-backed relay channel; the included code implements S3-compatible R2 client operations, message/attachment keys, a head/msg protocol, webhook/cron helpers, and local state/config handling. The required credentials (R2 endpoint, bucket, access key id, secret) are exactly what this capability needs.
Instruction Scope: noteSKILL.md explicitly warns the plugin reads local files and uploads agent-produced files (attachments) to R2. The code indeed reads/writes plugin state and a config file (including secret keys) under the OpenClaw state dir or ~/.openclaw, and registers webhook/cron handlers. This behavior is expected for the plugin's purpose but is high-impact: any local files referenced by messages may be uploaded to the configured R2 bucket. Review buildRelayAttachments and the config file location before use.
Install Mechanism: okNo external download/install URL is present in the skill manifest; compiled plugin code is included in the package (dist/). There is no npm/git download step from a personal server in the install spec. Installation is via OpenClaw's plugin system, which is consistent with typical plugin distribution.
Credentials: noteThe plugin does not request unrelated environment variables; it requires R2 credentials (endpoint, bucket, access key id, secret) provided through OpenClaw configuration. The code will read OPENCLAW_STATE_DIR (if set) and otherwise use the user's home dir (~/.openclaw). It persists credentials and state to files in the plugin state directory in plaintext—this is expected but important to recognize and protect.
Persistence & Privilege: okalways:false and the plugin registers its own service and writes files under its plugin state dir only. It does not request to modify other plugins' configs or system-wide settings beyond the normal OpenClaw plugin interfaces. Autonomous invocation is enabled by default (normal for skills) but not elevated.