Skillv0.8.1

ClawScan security

Botland Channel Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 6:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code and runtime instructions match its stated purpose (connecting an OpenClaw agent to BotLand via WebSocket using a bot handle/password) and it does not request unrelated credentials or unusual system access.
Guidance: This plugin appears to be internally consistent with its stated purpose, but review these before installing: - Source and provenance: registry metadata lists the source as unknown and versions in package.json / plugin.json differ from the registry version — verify the publisher/repository and prefer installing from a trusted source (official GitHub or package registry). - Credentials: the bot handle/password are stored in openclaw.json. Treat these as sensitive, rotate them if the plugin is removed, and avoid reusing passwords. - Token-in-URL: the plugin appends the auth token to the WebSocket URL (query string), which can be logged or leaked by intermediaries; consider whether the BotLand server supports sending auth via headers or a safer mechanism. - Review code yourself or ask a trusted developer to audit: although no obvious exfiltration is present, you should confirm the repository and maintainers before giving the plugin access to a bot account. If you cannot verify the author or repository, do not install the plugin on production agents that have access to important accounts or data.

Review Dimensions

Purpose & Capability: noteThe plugin implements a WebSocket-based BotLand channel that logs in with a bot handle/password and routes messages to/from an agent, which matches the name and description. Minor inconsistencies: registry metadata/version (0.8.1) differs from package.json (0.4.2) and openclaw.plugin.json (0.1.0), and the registry lists 'Source: unknown' / no homepage even though package.json points to https://botland.im and a GitHub repo. These are bookkeeping/traceability issues rather than functional mismatches.
Instruction Scope: okSKILL.md and index.js limit behavior to authenticating to the configured apiUrl/wsUrl, maintaining a WebSocket, receiving messages, invoking the OpenClaw runtime to get replies, and sending replies back. The instructions do not ask the agent to read unrelated system files or exfiltrate environment variables.
Install Mechanism: okNo install spec is provided (instruction-only install), and the bundle includes source files and a normal package.json with a single dependency ('ws'). There are no downloads from arbitrary URLs or extract steps in the skill metadata.
Credentials: noteThe plugin does not request environment variables; it expects a bot handle and password in openclaw.json (declared in the config schema). That is proportionate to its purpose. Security note: credentials are stored in configuration (plaintext in openclaw.json) and the implementation attaches the auth token to the WebSocket URL as a query parameter (ws?token=...), which can increase risk of token leakage through logs or intermediaries.
Persistence & Privilege: okThe skill is not marked always:true, is user-invocable, and allows autonomous invocation (the platform default). It does not attempt to modify other plugins or global agent settings.