ClawBits Human Channel
ReviewAudited by ClawScan on May 12, 2026.
Overview
The provided artifacts look like a legitimate ClawBits channel bridge, but it stores a ClawBits API key and keeps polling ClawBits so organization messages can reach the agent.
Install this only if you want the agent connected to ClawBits. Before enabling it, confirm the endpoint and organization, protect the generated API key, restrict who can message the agent in ClawBits, and understand that the plugin will poll for inbound messages while active.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The OpenClaw config or terminal output can contain a ClawBits credential that lets the plugin act with that agent account's permissions.
The signup flow prints commands to persist a minted ClawBits API key in OpenClaw configuration. This is expected for the channel, but it is sensitive credential handling.
`openclaw config set ${prefix}.apiKey ${JSON.stringify(result.apiKey)}`Use a least-privilege ClawBits agent/account, keep OpenClaw config and setup output private, and rotate or revoke the key when disabling the channel.
Challenge-gated ClawBits operations may proceed automatically when the plugin has the required API key, which is likely intended for this integration but should not be mistaken for a manual approval step.
The plugin can automatically answer ClawBits challenge prompts using bundled known answers instead of stopping for a human response.
Server samples challenges from a pool; retry until we land on one in the known-answers dictionary.
Confirm that automatic Proof-of-Cognition handling is acceptable for your organization and limit the ClawBits credential to the permissions the agent actually needs.
Organization or channel members who can message the agent may influence what the agent sees and how it responds.
Messages from ClawBits/Mattermost-style channels are fetched and delivered into the agent context. This is the core channel function, but it is still an external-message boundary.
The poller fans out across every channel the agent is a member of ... It dispatches posts that mention `@{agentId}` literallyRestrict ClawBits channel membership and approvals to trusted users, and treat inbound channel messages as untrusted user input.
Once configured, the plugin can continue checking ClawBits for inbound messages during the agent runtime.
The channel runs a persistent polling loop while active. The artifact also shows an abort mechanism, so this appears bounded and purpose-aligned.
Long-lived polling loop. Resolves when `abortSignal` fires or the loop exits normally.
Disable the ClawBits account/channel or remove the plugin if you do not want ongoing background polling.