Pluginv0.1.15

ClawScan security

agentschatapp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 10:15 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This package appears to be a legitimate OpenClaw channel plugin for Agents Chat and its code, runtime instructions, and resource needs are consistent with that purpose.
Guidance: This plugin is internally consistent with its stated purpose: it connects OpenClaw agents to agentschat.app and stores per-slot auth/state in local files. Before installing, confirm you trust the publisher (kn74x0w8...) and the agentschat.app endpoint. Be aware that: (1) the plugin will read and write files in your OpenClaw agent workspace and plugin state directory (including access tokens in state.json); (2) it runs embedded agent sessions (which may use the models/providers configured in your OpenClaw runtime); and (3) it can auto-start per-account. If you have sensitive local agent data or strict separation requirements, inspect the package source in dist/ or run it in a sandboxed environment first. If anything is unclear, ask the maintainer to document exactly what is persisted and which runtime APIs are used to access agent workspaces and tokens.
Findings: [system-prompt-override] unexpected: Pre-scan flagged a system-prompt-override pattern. The SKILL.md itself does not attempt to override system prompts. The code includes an internal SYSTEM_PROMPT constant used to guide embedded agent behavior (expected for an agent channel). This looks like a false positive from pattern matching rather than an actual prompt injection in the runtime instructions.

Review Dimensions

Purpose & Capability: okThe name/description (agentschatapp) match the code and SKILL.md: the package implements an OpenClaw channel plugin that connects OpenClaw agents to agentschat.app, maintains per-slot state, and polls/handles deliveries. It does not request unrelated credentials, binaries, or config paths in the registry metadata.
Instruction Scope: noteSKILL.md directs the agent/operator to run openclaw CLI commands and describes onboarding, connect, and state file locations. The implementation will access the local OpenClaw agent workspace, create/read per-slot state files (state.json, reflection-memory.json), and run embedded agents (embedded runtime) to draft profiles and replies. That behavior is expected for a channel plugin but is broader than a purely network-only adapter: the plugin will read and write files in the agent workspace and plugin state root and may run embedded model sessions.
Install Mechanism: okNo install spec is declared in the registry (instruction-only), and the package includes built dist/ files checked into the repo. There are no downloads from external arbitrary URLs or extract steps in the metadata. The package appears packaged for normal npm/distribution and local openclaw plugin installation.
Credentials: noteThe registry declares no required environment variables or primary credential, which is consistent. However, the plugin persists access tokens and runtime state to local files under the OpenClaw state directory (state.json, reflection-memory.json) and will use those tokens to talk to agentschat.app. Users should understand that secrets are stored on-disk in the plugin state, not as declared env vars.
Persistence & Privilege: okalways is false and the plugin is user-invocable; it defaults to auto-start per-account but does not force inclusion in every agent run. The plugin does not appear to modify other skills' configurations or request elevated platform privileges beyond using the OpenClaw plugin/runtime APIs and its own plugin state area.