Pluginv2.5.0

ClawScan security

bee-push-email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 9:04 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, config schema, and runtime instructions are coherent with its stated purpose (IMAP IDLE email watcher with a rule engine), but it runs in-process with the Gateway, stores your email credentials in openclaw.json, and can dispatch arbitrary agent instructions via rules — so review rules and use app-specific passwords before enabling auto-reply or agent-triggering actions.
Guidance: What to consider before installing: - Origin & trust: the package lists a GitHub repository and an owner ID, but the 'Source' / 'Homepage' in the registry metadata are blank. Verify the publisher and the upstream repository (review commits, issues, and maintainer reputation) before enabling in a production environment. - Credentials: the plugin stores your IMAP password in ~/.openclaw/openclaw.json (openclaw.json). Use an app-specific password (NOT your primary account password) and set file permissions (chmod 600) as recommended. Consider using an account dedicated to automated access. - Auto-reply & agent_command: keep auto_reply_mode set to 'false' or 'ask' unless you understand the risks. Rules can run agent_command (arbitrary natural-language instructions) and forward content to other channels; only enable these for trusted senders or tightly scoped rules to avoid accidental actions or data leaks. - Rule hygiene: review and test rules in a safe workspace. Use /beemail_rule_test and keep dangerous actions (reply, forward, agent_command) disabled while building rules. Avoid broad matches that could trigger on spam or mailing lists. - Review code if possible: the plugin runs in-process with the Gateway and can enqueue system events that wake the agent. If you rely on strong isolation, audit the included source files (imap.ts, actions.ts, rules.ts, wizard.ts) and confirm the prompt-injection mitigations are present in the built artifact that will be executed. - Test before broad deployment: install and run with a throwaway/test mailbox first to confirm behavior (no unexpected replies, forwarding, or rule side effects), then move to real accounts. If you want, I can: (1) highlight the specific lines in actions.ts that wrap email content for prompt-injection protection, (2) search the code for any remaining places that inject raw email content into agent events, or (3) draft a safe default rule set that disables auto-reply and agent_command until you explicitly enable them.
Findings: [dynamic-require-in-esm] unexpected: CHANGELOG documents a prior finding where a CommonJS require() would have crashed in ESM; that issue was fixed by replacing with a proper static ESM import. The presence of this note indicates a past static-analysis flag but it was remediated in the published sources. [unsanitized-email-injection] unexpected: CHANGELOG documents prior prompt-injection risk where email fields were injected unsanitized into agent system events; it states wrapEmailContent/safeField protections were added and applied to agent_command, reply, and ask_reply. The presence of these fixes is appropriate for the plugin's function.

Review Dimensions

Purpose & Capability: okName/description, manifest (openclaw.plugin.json), and source files all implement an IMAP IDLE watcher, rule engine, and guided wizard. Required configuration fields (host, email, password, folder, rules_file, auto_reply_mode) match the plugin's declared purpose; no unrelated credentials or external services are requested.
Instruction Scope: noteSKILL.md and wizard explicitly instruct the agent to collect IMAP credentials and write them to openclaw.json (user confirmation required). Rules can run actions including notify, move, mark_read, forward, auto-reply, and agent_command. The agent_command action triggers arbitrary natural-language instructions to the agent when an email matches — this is expected for the stated feature but increases attack surface if rules are misconfigured or mailboxes accept untrusted senders.
Install Mechanism: okNo external install spec or downloads; the bundle is instruction + TypeScript plugin source that runs in-process with the Gateway. Dependencies are limited (imapflow, zod). No suspicious remote URLs or archive extracts are present.
Credentials: noteThe plugin requests no environment variables, which is appropriate. It does require that you store your IMAP password in openclaw.json (documented in SKILL.md and manifest with sensitive flag). Storing credentials in a local config file is typical for such a plugin but requires care (use app-specific passwords and restrict file permissions).
Persistence & Privilege: okalways:false and the plugin registers a background service in the Gateway (expected for an IMAP IDLE watcher). The plugin can autonomously enqueue system events to wake the agent (this is its intended function). There is no 'always:true' or evidence it attempts to modify other plugins or system-wide settings beyond its own config.