Openclaw Nextcloud Talk 2026.5.12 Beta.6.Tgz

Package: @openclaw/nextcloud-talk (npm) Version: 2026.5.7 Description: OpenClaw Nextcloud Talk channel plugin This package is the Nextcloud Talk channel plugin designed for the OpenClaw ecosystem. It implements necessary functionality for handling Nextcloud Talk webhooks and API interactions, focusing heavily on security measures mandated by the host framework (OpenClaw Plugin SDK). Key security observations include: 1. **SSRF Mitigation:** All external HTTP requests (e.g., in `resolveNextcloudTalkRoomKind` and `sendMessageNextcloudTalk`) utilize `fetchWithSsrFGuard` and explicitly reference `ssrfPolicyFromPrivateNetworkOptIn(account.config)`, ensuring adherence to host network policies and controlling potentially dangerous private network access. 2. **Webhook Security:** Incoming webhooks are secured using HMAC-SHA256 signature verification (`verifyNextcloudTalkSignature`). The implementation correctly uses `timingSafeEqual` to prevent timing attacks, and employs rate limiting (`createAuthRateLimiter`) and replay protection (`createClaimableDedupe`) to defend against DoS and replay vulnerabilities. 3. **Access Control:** The plugin implements fine-grained access control logic (`handleNextcloudTalkInbound`) based on configured `dmPolicy` and `groupPolicy`, leveraging SDK functions like `resolveDmGroupAccessWithCommandGate`. 4. **Secure Secret Handling:** Secrets (bot and API credentials) are managed through the OpenClaw secret contract mechanism, supporting retrieval from secure sources like environment variables, files, or secret inputs, following established security practices. All detected behaviors are standard and required for the intended function of a secure communication channel plugin within a robust security framework.