Pluginv2.9.1

ClawScan security

bee-push-email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 31, 2026, 7:59 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, instructions, and requirements are internally consistent with a real-time IMAP IDLE email watcher that pushes notifications and can trigger agent actions — the behaviors and data access it needs match its stated purpose.
Guidance: Before installing: - Understand where your IMAP credentials will live: the plugin stores the email address and password (recommended: app-specific password) in openclaw.json in plain text. Follow the plugin's advice to restrict file permissions (chmod 600) and consider using an app-specific password, not your main account password. - Review and limit rules that use agent_command, reply, or ask_reply. Those actions send email content to the agent/LLM and can cause the agent to perform actions — only enable them if you trust the plugin and have tight rule criteria. - Note the plugin will try to use an existing Telegram bot token from the Gateway config to send direct notifications. If you prefer, create a dedicated bot/token for this plugin or ensure your existing bot token is stored in a location you accept the plugin reading. - The install flow asks you to run npm install in the plugin folder. The SKILL.md recommends --ignore-scripts; keep that flag to avoid running package lifecycle scripts from unknown packages. - Audit the plugin source (you have full TypeScript source) or run it in a controlled environment before trusting it with production inboxes. Consider setting auto-reply mode to 'false' initially and test with a throwaway mailbox and test emails. - If you have low trust in the plugin origin (source unknown, no homepage), treat it as untrusted code: review the repo thoroughly or avoid installing it system-wide.

Review Dimensions

Purpose & Capability: okName/description (IMAP IDLE email push with a rule engine) align with the code and runtime behavior: it opens an IMAP IDLE connection, reads mail metadata, evaluates rules, moves/flags messages, sends notifications via Telegram, and can enqueue events to the agent. Declared npm deps (imapflow, zod) and TypeScript source are appropriate for this purpose.
Instruction Scope: noteRuntime instructions (SKILL.md) focus on configuring IMAP credentials, rules, and where to store them; they tell the agent to write config to openclaw.json and restart the Gateway. The plugin can enqueue email content to the agent LLM (agent_command, reply, ask_reply) which is powerful and can cause the agent to take arbitrary actions based on incoming emails. The code contains explicit prompt-injection mitigations and warns the user to review rules, but users should be aware that email content may be sent to the LLM when those actions are used.
Install Mechanism: okNo binary downloads or remote installers are embedded in the registry entry. The SKILL.md recommends running 'npm install --ignore-scripts' in the plugin directory to install imapflow and zod — this is standard and the use of --ignore-scripts reduces lifecycle-script risk. There is no unusual or opaque download URL; overall install risk is low for a Node plugin.
Credentials: noteThe registry lists no required env vars, which matches metadata. The plugin stores IMAP credentials (email/password) in openclaw.json (cleartext) and suggests chmod 600 — storing credentials in config is expected but sensitive. The code also attempts to read a Telegram bot token from the OpenClaw config (flatConfig or api.config.plugins.entries.telegram.config), which is reasonable for delivering direct Telegram notifications but means the plugin may access bot tokens stored by other plugins/config entries; users should be aware of that implicit credential access.
Persistence & Privilege: noteThe plugin registers an in-process background service (IMAP IDLE watcher) and hooks into the Gateway's command registration and enqueueSystemEvent APIs; this is necessary for real-time notifications. It does not set always:true. Because it can enqueue system events that wake the agent and can trigger agent-driven actions from incoming emails, it has a meaningful runtime privilege — appropriate for its purpose, but users should carefully control rules (especially agent_command and auto-reply) to avoid unintended actions.