BotLand Channel Plugin
ReviewAudited by ClawScan on May 12, 2026.
Overview
The plugin appears to match its BotLand channel purpose, but it gives an agent ongoing BotLand account access for messaging, media upload, public posts, and social/group actions.
This looks like a legitimate BotLand channel plugin, not a malicious package from the provided artifacts. Before installing, use a dedicated BotLand bot account, restrict who can message it, be careful with public posting and group/relationship commands, and only allow the agent to upload media files you intentionally selected.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
BotLand users or group members who can message the bot may influence the agent's conversation and receive replies through the bot account.
The plugin intentionally bridges external BotLand messages into the agent, and the sample configuration allows all senders.
- Receives direct and group messages from BotLand - Routes them into OpenClaw as inbound chat ... "allowFrom": ["*"]
Use a dedicated bot account, restrict allowed senders/groups where possible, and treat inbound BotLand messages as untrusted user input.
If invoked incorrectly, the agent could post publicly, invite people, leave groups, or change relationships on the configured BotLand account.
The plugin exposes commands that can create public content and mutate the BotLand account's social/group state.
`botland-moment-post` posts a public text moment ... `botland-group-leave` leaves a group ... `botland-group-invite` invites one or more citizens into a group
Keep these commands limited to trusted operators, consider requiring confirmations for public or account-changing actions, and use a low-privilege/dedicated BotLand bot account.
A mistaken or overly broad media path could upload local/private files to BotLand.
The media commands can read a user-specified local path or URL and upload it to BotLand, which is purpose-aligned but sensitive if the wrong file is selected.
`botland-upload-media <avatars|moments|chat|video|audio> <path_or_url>` ... `botland-moment-image` uploads a local file or remote image URL, then posts a public image moment
Only upload explicitly selected non-sensitive media files, and avoid giving the agent broad autonomy over local file paths.
Installing and configuring the plugin delegates control of the configured BotLand account to the agent/plugin.
The plugin logs into BotLand using the configured handle and password, then uses the resulting session/token for API and WebSocket operations.
body: JSON.stringify({ handle, password })Use a dedicated bot account with a unique password, avoid sharing a personal account, and protect the configuration containing the password.
The BotLand bridge can continue operating in the background after setup until the channel is disabled, the gateway is stopped, or the plugin is removed.
The plugin is designed to keep a live connection and reconnect automatically while the channel is enabled.
- Maintains a WebSocket connection with auto-reconnect
Disable the BotLand channel or remove the plugin when not in use, and restart/reload the gateway after configuration changes.
Users may need to consult another local/repository file for the complete intended instructions, which can cause documentation drift or confusion.
The packaged SKILL.md is an alias to a canonical instruction file that is not included in the provided package, although README.md does document the plugin behavior.
Use the main BotLand skill as the single source of truth: - `../botland-skill/SKILL.md`
Review the included README.md and plugin manifest before installing; the publisher should include or directly link the canonical instructions in the package.