Pluginv1.0.0

ClawScan security

禅道代码定位 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 5:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, runtime instructions, and configuration requests are coherent with its stated purpose (mapping Zentao projects to local Git repos) and do not ask for unrelated credentials or perform unexpected network activity.
Guidance: This plugin appears to do what it says: map Zentao projects to local repositories and query Zentao for bug/project data. Before installing, verify: 1) set zentaoUrl to your trusted Zentao server (the default placeholder IP is not authoritative), 2) use a least-privilege account for zentaoUser (avoid placing admin credentials in plugin config), 3) be aware the plugin will create and write a SQLite DB at the configured dbPath (~/.openclaw/data/zentao-manager.db by default) — check file permissions if this matters, and 4) review the plugin source (package.json points to a GitHub repo) if you need additional assurance. If you do not trust storing your Zentao password in the platform config, avoid providing it and use the plugin only for offline/local mapping operations.

Review Dimensions

Purpose & Capability: okName/description match implemented behavior: the code manages a local SQLite DB of projects and repo mappings and calls a Zentao API (configured zentaoUrl, zentaoUser, zentaoPassword) to sync projects and fetch bug details. Requested config fields (Zentao URL/user/password and dbPath) are appropriate for that purpose.
Instruction Scope: noteSKILL.md instructs adding Zentao credentials into the OpenClaw plugin config and using tools to sync or locate repos; runtime code performs only the documented actions (HTTP calls to the configured Zentao API and local SQLite reads/writes). Note: the plugin will create and write a DB file under the configured dbPath (~/.openclaw/data/zentao-manager.db by default), so it will persist mapping data on disk.
Install Mechanism: okThis is an instruction-and-code plugin with no external install script. Dependencies are standard npm packages listed in package.json/package-lock.json (sql.js, node-fetch, typebox). No remote arbitrary downloads or archive extraction are used.
Credentials: okThe plugin requests no environment variables; it requires a Zentao URL, username, and password via plugin config, which is proportional to its need to call the Zentao API. There are no unrelated secrets requested.
Persistence & Privilege: okalways is false and model invocation is normal. The plugin writes a local SQLite DB file under the user's home directory (dbPath) and ensures the directory exists. It does not modify other plugins or system-wide settings.