Openclaw Tal Ai

PassAudited by ClawScan on May 13, 2026.

Overview

This appears to be a legitimate TAL AI provider plugin, but it will run OpenClaw plugin code and use your TAL API keys to send model requests to TAL endpoints.

Before installing, verify that you trust this package source and are allowed to use TAL internal/VPN model services. Configure only authorized TAL keys, keep them secret, and remember that prompts and supported image inputs will be sent to ai-service.tal.com when these providers are selected.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI05: Unexpected Code Execution

What this means

Installing the plugin means OpenClaw will execute this provider-registration code.

Why it was flagged

OpenClaw will load the plugin's JavaScript extension. This is normal for a provider plugin, and the visible entry point only registers the three declared providers.

Skill content

"openclaw": { "extensions": ["./index.js"], "providers": ["mlops-claude", "tal-mlops", "claw"] }

Recommendation

Install only if you trust the package source; the visible code is purpose-aligned and the static scan is clean.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone with these keys may be able to use the associated TAL model-service account or quota.

Why it was flagged

The plugin asks for TAL model-service credentials and uses them to configure provider access.

Skill content

"envVars": ["TAL_AI_API_KEY"] ... "envVars": ["CLAW_API_KEY"] ... "cliOption": "--tal-ai-api-key <key>" ... "cliOption": "--claw-api-key <key>"

Recommendation

Use only authorized, least-privileged TAL keys; keep them secret and rotate them if exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Prompts, files/images included in model requests, and conversation context may be sent to TAL's AI service when these providers are used.

Why it was flagged

Model traffic is routed to TAL service endpoints, and the catalog advertises text/image-capable models.

Skill content

"baseUrl": "https://ai-service.tal.com" ... "baseUrl": "https://ai-service.tal.com/openai-compatible/v1" ... "baseUrl": "https://ai-service.tal.com/claw/v1"

Recommendation

Use this only for data permitted by your TAL/internal data policy, and confirm provider retention/privacy terms if handling sensitive content.