Pluginv0.1.2

ClawScan security

AIWork Channel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 3:51 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, configs, and declared dependencies are consistent with its stated purpose (connecting OpenClaw to AIWork), but it will read local image files referenced in messages and convert them to data URLs for outbound delivery — a privacy consideration the user should be aware of.
Guidance: This plugin appears to implement an AIWork channel as described. Before installing: (1) Be aware it will read local image files referenced in messages and convert them to data: URLs for outbound delivery — if a message contains a local path to an image under your home directory, that file can be read and transmitted to the AIWork service. (2) Provide only trusted appId/apiSecret values in the channel config and ensure you trust the AIWork endpoint (defaults to aimeeting.aispeech.com.cn). (3) Check your logging/monitoring because the plugin logs previews and file-paths which could expose metadata. (4) If you need to limit filesystem access, audit or modify the code to restrict allowed directories or disable local-file conversion. If you want extra assurance, review the bundled source (index.ts/dist) or run it in a restricted environment first.

Review Dimensions

Purpose & Capability: okName/description (AIWork Channel) match the code and manifest: plugin implements a channel that speaks to AIWork endpoints (defaults point at aimeeting.aispeech.com.cn) and expects account/app credentials in the channel config (appId/apiSecret). The included dependency (ws) and the WebSocket/HTTP logic in the code are appropriate for a realtime channel plugin.
Instruction Scope: noteRuntime behavior goes slightly beyond simple message routing: the code scans message text for image URLs and local image file paths, and will read local image files (via node:fs/promises.readFile) when it detects likely local image paths, converting them to data: URLs to include in outbound delivery. That behavior is coherent with a channel that must deliver attachments, but it means the plugin will read files from the host filesystem (including resolving ~/ using process.env.HOME) whenever a message references them.
Install Mechanism: okNo download/install spec is provided in the skill metadata; this is an instruction/plugin bundle with source and a package.json that declares a single runtime dependency ('ws' from npm). There are no external/untrusted download URLs or archive extraction steps in the manifest.
Credentials: okThe plugin does not request unrelated environment variables. Authentication is expected to be supplied via the channel configuration (appId/apiSecret/appSecret) as defined in openclaw.plugin.json, which aligns with the plugin's purpose. Note: the code reads process.env.HOME to expand '~/'; this is normal but means the plugin may resolve user home paths when converting local images.
Persistence & Privilege: okThe skill is not force-included (always: false) and uses the platform's normal plugin model. It does not request elevated platform privileges, does not modify other plugins' configs, and does not persist external credentials itself in the provided source. Autonomous invocation is allowed by default but not combined with other concerning flags.