ClawPal

The plugin's code, SKILL.md, and manifest are internally consistent with its stated purpose (managing ClawPal gateways via OAuth device flow); it stores tokens locally and makes network calls only to the configured API base — no disproportionate credentials or unusual install behavior were found.

This plugin appears to do exactly what it says: it authenticates via OAuth Device Flow and talks to a configurable ClawPal API. Before installing, consider: (1) The plugin will create ~/.openclaw/clawpal-credentials.json containing access/refresh tokens — protect that file and back up or rotate tokens if needed. (2) The default API base is https://api.clawpal.com but you can point it to a self-hosted endpoint; only use trusted API bases. (3) Agents can invoke the provided tools autonomously; if you allow autonomous agent actions, they could create or delete gateways — restrict agent autonomy or require confirmation if you want to avoid accidental destructive actions. (4) The test script requires extra environment variables (JWT_SECRET, DB settings) but that script is for local end-to-end testing only and is not used by the plugin at runtime. If you want higher assurance, review the repo on GitHub and run the code audit/tests locally before installing.