Pluginv2.0.9

ClawScan security

[deprecated][Chrome channel for Openclaw] · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 10:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md says the channel is deprecated and points to a new plugin, but the package actually contains a full channel implementation that performs network I/O, token exchange, config writes, and local media/file access — an inconsistency you should understand before installing.
Guidance: This package claims to be deprecated in SKILL.md but actually contains a full channel implementation that will (if enabled) contact Sider endpoints, exchange setup tokens, open WebSocket relays, upload/download media, read certain local file paths, and write long-lived tokens into your OpenClaw configuration. Before installing: 1) prefer following the SKILL.md redirect and install the plugin from the new official URL if that's what you intend; 2) if you must use this package, inspect/verify the SIDER_BASE_URL and SIDER_SETUP_TOKEN values and only set them to trusted endpoints/values; 3) be aware the plugin can read local files when handling attachments — avoid enabling it on hosts with sensitive local data unless you trust the Sider service; 4) ask the maintainer (sider-ai) why the package contains active code while marked deprecated and why docs disagree about defaults; 5) if you want stronger assurance, request a signed release or upstream confirmation that this package is intentionally left for compatibility and contains no unexpected behaviour. Additional information that would raise confidence to 'high': an explicit maintainer statement describing the package's intended role (placeholder vs active), and matching docs that list the exact env/config keys the plugin will use.

Review Dimensions

Purpose & Capability: concernThe human-facing SKILL.md/README says this channel is deprecated and redirects users to a new plugin URL. However the package contains a full Sider channel implementation (WebSocket connections, HTTP calls to SIDER endpoints, media upload/download, config read/write) — functionality that contradicts the minimal 'deprecated' description. Also some docs disagree about the default gateway URL (README.zh_CN mentions a different default than src/config.ts), which is another mismatch.
Instruction Scope: concernThe runtime instructions (SKILL.md) do nothing but redirect. In contrast the code will at runtime: contact SIDER API endpoints (exchange setup tokens), open WebSocket relay connections, fetch and save remote media, read local filesystem paths when resolving outbound media, and write persistent tokens back into the agent's config. The SKILL.md gives no indication of these behaviours.
Install Mechanism: noteThere is no install spec that downloads arbitrary code from external URLs (the package contains TypeScript source and a package.json). That limits install-time risk (no external extract URLs). Still, code will be installed/executed by the agent runtime when the plugin is registered.
Credentials: concernRegistry metadata lists no required environment variables, but the code reads environment variables (SIDER_SETUP_TOKEN, SIDER_BASE_URL, SIDER_ENABLE_REMOTE_BROWSER_MCP) as operational fallbacks. The plugin also persists tokens into OpenClaw config via runtime.config.writeConfigFile. The requested/declared env metadata does not reflect these real dependencies.
Persistence & Privilege: noteThe plugin registers background services, opens network sockets, and writes its own channel tokens into the OpenClaw config. It does not request always:true and appears to limit writes to its own channel config keys, which is expected for a channel plugin — but combined with the misleading SKILL.md this privileged behaviour is worth noting.