Pluginv1.0.7

ClawScan security

Chrome channel for OpenClaw by Sider · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 9:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and runtime instructions are consistent with a Chrome <-> OpenClaw channel, but the SKILL.md recommends an npx -y quick-install that downloads and executes code from npm at runtime (and references a different package name), which raises an install-time risk the user should understand before proceeding.
Guidance: This plugin appears to implement exactly what it claims: a Chrome-side channel that pairs your OpenClaw instance with the Sider Chrome extension and transmits chat, events, and attachments to Sider. Two practical risks to weigh before installing: - Quick-install executes remote code: The README recommends running npx -y @sider-ai/chrome-openclaw-sider-cli install, which will download and run an npm package immediately. If you use that, you should inspect the installer package (or use the manual openclaw plugins install path) rather than blindly running npx -y. - Token persistence and data flow: Pairing produces a long-lived token that is stored in ~/.openclaw/openclaw.json and the plugin will upload conversation content and attachments to Sider. Only install/pair if you trust Sider and are comfortable with chat and attachment data leaving your host. Actionable checklist before install: - Prefer the manual path: run openclaw plugins install clawhub:chrome-openclaw-sider (or inspect the package source you will install) instead of npx -y. - Verify the npm package name and source (SKILL.md references @sider-ai/chrome-openclaw-sider-cli while this skill is 'chrome-openclaw-sider'); ensure you are installing the official maintainer package. - If you must run the quick-install, review its code on the npm registry or GitHub first and consider running it in an environment where you can review the changes it makes (or a throwaway environment). I flagged this skill as "suspicious" primarily because the recommended quick-install pattern downloads and executes code at runtime; the plugin itself is otherwise coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe name/description (Chrome channel for OpenClaw by Sider) align with the code: the plugin opens a channel, performs pairing, exchanges tokens with Sider endpoints, uploads/downloads attachments, and persists a long-lived token into ~/.openclaw/openclaw.json. Declared runtime env vars (SIDER_BASE_URL, SIDER_SETUP_TOKEN) match what the code reads.
Instruction Scope: noteSKILL.md's manual install and pairing steps stay within the channel's purpose. It explicitly warns that conversations, streaming events, tool-call status and attachments are transmitted to Sider, and that the pairing token is persisted locally. However it encourages pasting install/pair commands into the OpenClaw chat box (letting the agent run them), which expands what an agent can do at install time. Also the quick-install command (npx -y @sider-ai/chrome-openclaw-sider-cli install) will fetch and run remote code; the quick-install package name differs from the skill slug, which is a minor inconsistency worth verifying.
Install Mechanism: concernThe skill metadata has no install spec, but SKILL.md recommends a one-line npx -y command that downloads and executes an installer CLI from npm at runtime. Running npx -y executes remotely fetched code with no local review unless the user inspects it first. Although the package looks like an official @sider-ai package, executing arbitrary npm packages carries non-trivial risk; the SKILL.md does provide an alternative manual install via openclaw plugins install which is safer.
Credentials: okNo unrelated secrets or wide-ranging environment access are requested. The code reads SIDER_BASE_URL and SIDER_SETUP_TOKEN (declared in the docs). The plugin persists a token to the OpenClaw config (~/.openclaw/openclaw.json) as described; this is expected for a channel that needs authentication. There are no demands for unrelated cloud or system credentials.
Persistence & Privilege: okalways: false. The plugin registers event hooks (before/after tool calls, llm_output, message writes) to report/record chat and tool-call metadata to Sider; this is consistent with its stated purpose. It writes its own account token into OpenClaw's config but does not appear to modify other skills or global agent policies.