Clawhub Github Publish FwXbjN
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This plugin matches its MQTT bridge purpose, but it can let MQTT bus messages steer a local OpenClaw agent with broad gateway privileges and can automatically publish conversation summaries to the shared bus.
Install only if you trust and tightly control the MQTT broker and all publishers on the bus. Before enabling it, configure broker ACLs/TLS, use a least-privileged OpenClaw gateway token, disable or approve remote task execution, and decide whether broadcasting conversation summaries is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A party that can publish to the MQTT bus could steer the local agent's goals through task prompts.
Incoming MQTT task content is inserted directly into a prompt that tells the local agent which skill to use and what to do.
yield * gateway.chat(`[Task ${msg.id}] Use the ${msg.skill} skill to: ${msg.prompt}`)Treat MQTT task payloads as untrusted: require explicit user approval for remote tasks, restrict allowed senders and skills, and add prompt-boundary handling or signed task envelopes.
A broadcast or targeted MQTT task could cause the agent to run capabilities that mutate accounts, systems, or other integrated services depending on installed skills.
The task handler accepts messages addressed to the agent or broadcast to '*' and dispatches them without an artifact-backed approval gate or allowlist.
if (msg.to !== AGENT_NAME && msg.to !== '*') return ... case 'task': await handleTask(msg)
Disable broadcast task execution by default, add per-sender and per-skill allowlists, require confirmation for high-impact skills, and log/audit accepted remote tasks.
If the bridge is abused, it may operate with broad OpenClaw authority rather than a narrowly scoped messaging permission.
The gateway connection requests broad operator/admin, approval, and pairing scopes for a bridge whose core need appears to be sending/receiving chat tasks.
role: 'operator', scopes: ['operator.admin', 'operator.read', 'operator.write', 'operator.approvals', 'operator.pairing']
Use least-privilege gateway scopes, declare the gateway token/credential requirement in metadata, and separate read-only status publishing from privileged task dispatch.
Any agent or service with access to the same MQTT topic may be able to send commands or messages into this agent's workflow.
The plugin subscribes to the MQTT bus and the provided source does not show message signing, sender authentication, broker ACL enforcement, or per-agent topic isolation.
client.subscribe(topicFilter, { qos: 1 }, (err) => { ... handlers.set(topicFilter, handler) ... })Use a TLS-protected broker with ACLs, per-agent topics, signed messages, sender identity checks, and default-deny handling for unknown senders.
Sensitive details from conversations could be shared with every subscriber on the MQTT bus, even when the user only expected local agent work.
The plugin automatically publishes snippets of user prompts and assistant outputs as broadcast MQTT events.
summary: prompt.slice(0, 200) ... await publishToBus(makeBusMessage('event', AGENT_NAME, '*', { status: 'completed', summary: summary || 'No summary available' }))Make status-summary publishing opt-in, redact sensitive content, let users choose recipients, and document exactly what conversation data is sent to MQTT.
After installation, the plugin can continue listening and publishing while OpenClaw is running.
The MQTT client is designed to maintain a live connection and reconnect, which is expected for a bridge but means it keeps operating in the background.
reconnectPeriod: MQTT_RECONNECT_MS, clean: true
Provide a clear enable/disable switch, visible connection status, and documentation for stopping the bridge.
Future releases could be affected by changes in the external publish workflow, though this is not direct runtime evidence of malicious behavior.
The release workflow depends on a reusable workflow tracked by the moving 'main' branch, which is less reproducible than pinning a specific commit or tag.
uses: openclaw/clawhub/.github/workflows/package-publish.yml@main
Pin reusable workflows to immutable commits or trusted release tags and keep build provenance reproducible.