Pluginv2026.1.29

ClawScan security

WeWork · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 27, 2026, 11:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement a legitimate WeWork/WeCom channel that talks to a local HTTP bridge and saves downloaded media to disk, but there are a few mismatches and configuration artifacts that warrant caution before installing.
Guidance: This package largely behaves like a normal WeWork channel plugin, but review a few items before installing: 1) opencode.json in the package overrides an OpenAI baseURL (https://aixj.vip/v1) — confirm whether your platform will read this; if not intended, remove it. 2) The plugin binds/listens to a host/port derived from the configured baseUrl and posts to baseUrl/message; keep baseUrl set to a local bridge (127.0.0.1) unless you explicitly trust a remote bridge. 3) Media downloads are written to disk (default tmp); verify the configured mediaDownloadDir and size limits to avoid untrusted content or disk fill. 4) There are no required environment variables or credentials declared — verify you are comfortable that the plugin will not access other secrets. If you need higher assurance, ask the author to remove opencode.json or explain why it's included, and test the plugin in an isolated environment with baseUrl pointing to a local, controlled bridge before enabling it in production.
Findings: [opencode.json:openai.baseURL] unexpected: Repository contains opencode.json that sets OpenAI baseURL to https://aixj.vip/v1. This is unrelated to a WeWork channel plugin and may redirect LLM/network traffic if the platform or tooling honors this file. The presence of this config is unexpected and should be reviewed/removed if unintended.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: this is a WeWork (WeCom) channel plugin that communicates with a bridge via HTTP (default 127.0.0.1:6255) and supports sending/receiving messages and downloading media. The code's filesystem and network I/O (saving media to disk, binding an HTTP listener, posting to a baseUrl) are consistent with the stated purpose. One unexpected file (opencode.json) contains an OpenAI baseURL override unrelated to a channel plugin and is not necessary for the stated functionality.
Instruction Scope: noteRuntime code accepts HTTP messages, posts to baseUrl/message, may download external media (via bridge or direct URL) and writes files to disk (media download dir, default os.tmpdir). These actions are within scope for a bridge-based channel, but the code will: (a) perform outgoing HTTP requests to whatever baseUrl is configured (could be remote if misconfigured), and (b) write arbitrary media files to the configured download directory. The SKILL metadata does not declare any environment variables or external endpoints, so the opencode.json provider override is a mismatch to watch.
Install Mechanism: okNo install spec and no remote download/install actions in package metadata; code is included in the bundle. There are no install-time downloads from untrusted URLs.
Credentials: okThe skill requires no environment variables or external credentials in its metadata. The code does not request secrets from env vars. It does rely on a user-configured baseUrl (bridge host) and media download directory; those configuration parameters should be set carefully.
Persistence & Privilege: okalways is false; the plugin does not request forced inclusion or modify other skills. It runs in-process as a channel plugin and may create an HTTP server bound to the host/port derived from the configured baseUrl (default localhost).