Pluginv0.1.17

ClawScan security

Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 1:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, configuration, and runtime instructions are internally consistent with its stated purpose (a managed WhatsApp channel that routes traffic through imBee); the main risk is that traffic is proxied through an external service you must trust.
Guidance: This plugin is coherent: it implements a managed WhatsApp Business channel that routes traffic through imBee's routing service. Before installing, consider these points: 1) Messages (and media) will transit imBee's infrastructure (openclaw-plugin.dev.ent.imbee.io) and are delivered using an apiKey you must provision — you must trust imBee's handling of in-flight data despite their in-memory-only claim. 2) The plugin stores the pairing/apiKey in OpenClaw config (store secrets appropriately). 3) Test with a throwaway number and verify TLS endpoints and WebSocket behavior before using it with sensitive data. 4) The licence forbids self-hosted routing for production — you must use imBee's service unless you purchase a commercial licence. If you need stronger assurance, ask the maintainer for audited documentation of the routing server (code, retention policy, HMAC verification details) or request the ability to self-host.

Review Dimensions

Purpose & Capability: okName/description claim (managed ‘official’ WhatsApp Business channel via imBee) matches the code and config. Declared dependencies (qrcode, ws) and the pairing flow implemented by the code are appropriate. No unexpected environment variables or unrelated binaries are requested.
Instruction Scope: noteSKILL.md and code instruct OpenClaw to pair via QR, open a WebSocket to a routing server, fetch media, and forward inbound messages to a local agent — all consistent with a messaging channel. Note: the runtime establishes a long-lived WebSocket and downloads media from imBee's routing server, so user messages and media transit an external host (openclaw-plugin.dev.ent.imbee.io) even though the docs assert in-memory-only forwarding.
Install Mechanism: okNo custom install script in the skill bundle; installation uses OpenClaw's plugin mechanism. Package.json lists small, expected dependencies (qrcode, ws). There are no arbitrary URL downloads or extraction steps in the plugin itself.
Credentials: noteThe plugin does not demand system env vars; however, it relies on a channel configuration value apiKey (stored in OpenClaw config/secrets) and a routingBaseUrl that defaults to imBee's domain. Requesting an API key and a routing URL is proportional, but you should consider that the key grants the plugin (and thus the routing server) access to your pairing/session and message routing.
Persistence & Privilege: okalways is false and the plugin does not request elevated platform privileges. It runs as a normal channel gateway (opens its own WebSocket) and does not modify other plugins or system-wide settings. Autonomous invocation and long-lived connections are expected for a messaging channel.