Back to plugin
Pluginv0.1.5
ClawScan security
Lycus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 4:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The Lycus plugin's code, README, and runtime instructions are consistent with a channel plugin that pairs an OpenClaw gateway to the Lycus dashboard and only require a Lycus machine token/id (or equivalent config) to operate.
- Guidance
- This plugin appears to do exactly what it says: pair your OpenClaw gateway to a Lycus backend and relay events over a WebSocket or webhook. Before installing: (1) Treat the Lycus machine token as a secret — only paste it into OpenClaw's secure config or supply via an env var you control. (2) Prefer websocket mode unless you need webhook mode; if using webhooks, configure and protect LYCUS_WEBHOOK_SECRET. (3) Review and restrict dmPolicy/allowFrom settings (default allowFrom:["*"] / dmPolicy may be permissive); tighten them to minimize who can send actions to this machine. (4) Confirm the backend URL is the official Lycus domain before pairing, and rotate the machine token if you suspect leakage. Lastly, the package metadata lists env fallbacks as optional — pairing credentials can come from config or env, so ensure they are provided securely.
Review Dimensions
- Purpose & Capability
- okThe name/description (connect OpenClaw devices to Lycus) match the implementation: the plugin pairs a machine with Lycus, opens an outbound Action Cable WebSocket, posts messages/indicators, and pulls/acks events. The network calls and tokens requested are exactly what this integration needs.
- Instruction Scope
- okSKILL.md and code instruct the agent to collect a Lycus machine token/id (via a wizard or openclaw.json), open an outbound WebSocket to the Lycus backend, and send/receive channel events. There are no instructions to read unrelated system files, exfiltrate arbitrary data, or call unexpected external endpoints beyond the configured Lycus backend (defaults to app.lycus.ai).
- Install Mechanism
- okNo custom download/install hook is present (install is via normal openclaw plugin flow / npm package). Dependencies are standard (ws plus dev tooling). There is no extract-from-arbitrary-URL behavior in the repository.
- Credentials
- noteThe plugin requires a machine token and machine id for pairing and will also accept optional env fallbacks (LYCUS_BASE_URL, LYCUS_SOCKET_URL, LYCUS_MACHINE_TOKEN, LYCUS_MACHINE_ID, LYCUS_WEBHOOK_SECRET). These credentials are proportional to the stated purpose. Small inconsistency: registry metadata reported "Required env vars: none," but the plugin legitimately reads (optional) environment fallbacks and treats the machine token/id as required for operation (provided either via config or env).
- Persistence & Privilege
- okalways:false and user-invocable:true. The plugin runs as a normal channel plugin, registers inbound routes only when webhook mode is selected, and does not request elevated system-wide privileges or modify other skills' configs. Autonomous invocation is enabled by default but not combined with other red flags.