Pluginv1.0.5

ClawScan security

OpenClaw Zotero Channel Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 10:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin mostly looks like a legitimate Zotero channel bridge, but there are configuration mismatches and it reads an undeclared file in the user's home directory (and can POST messages to whatever server URL is configured), so the package has incoherences you should verify before installing.
Guidance: This plugin mostly implements a Zotero bridge, but review these points before installing: 1) Confirm the channel config key/name mapping: the code expects cfg.channels['zotero'] while the plugin metadata uses 'claw-zotero' — verify your OpenClaw configuration will place the token under the expected key. 2) The plugin reads ~/.openclaw-zotero-channel/config.json for a ZOTERO_SERVER_URL; inspect that file (or create it) and ensure it points only to a trusted endpoint (default is http://localhost:8080). If someone sets it to a remote URL, message contents can be POSTed there. 3) Check how OpenClaw enforces auth for the /zotero/webhook route and, if possible, configure allowFrom or request validation so arbitrary external HTTP callers cannot inject messages. 4) The package-lock contains many large dependencies not listed in package.json devDependencies — that is odd but not necessarily malicious; if you care, perform a deeper npm audit and review installed packages. If you are not comfortable with these issues, ask the author to: fix the config key mismatch, declare the home-config path in metadata or stop reading it, and add explicit allowlist/validation for incoming webhooks.

Review Dimensions

Purpose & Capability: noteThe code implements a Zotero channel: registering a /zotero/webhook route, converting incoming webhook events to OpenClaw agent messages, and sending replies via a local/remote server. This matches the stated purpose, but there are mismatches in naming: the plugin/channel code uses the internal id 'zotero' while openclaw.plugin.json and the package identify the plugin as 'claw-zotero' (channelConfigs uses 'claw-zotero' but the code reads cfg.channels['zotero']). That inconsistency can break configuration or cause the plugin to read the wrong config section.
Instruction Scope: concernThe code reads a configuration file from the user's home directory (~/.openclaw-zotero-channel/config.json) to get a server URL and will POST outbound messages to that server. The read of the homedir file is not declared in the plugin metadata (required config paths is empty). The webhook handler accepts POSTed JSON and forwards content into the agent; there is no allowlist validation of remote callers inside the webhook handler (though openclaw may enforce plugin route auth), and the server URL can point to any host, enabling potential exfiltration of message contents if misconfigured.
Install Mechanism: okThis is an instruction-and-code-only plugin with no install spec that downloads or extracts remote archives. Nothing is written to disk by an installer here beyond the normal plugin files.
Credentials: concernThe plugin declares no required environment variables or config paths, but it nevertheless reads ~/.openclaw-zotero-channel/config.json for ZOTERO_SERVER_URL. That file access is not declared in metadata. The channel config schema declares a token and allowFrom; the code expects a channel config under a different key name ('zotero' vs 'claw-zotero'), which is inconsistent and may cause the plugin to operate without the intended token checks. The plugin can send message payloads to a server URL that may be remote if the local config is modified — this is powerful and should be validated before enabling.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated system-wide privileges or attempt to edit other skills. It exposes a webhook route (plugin-scoped auth) which is expected for a channel plugin.