Back to plugin
Pluginv0.1.2
ClawScan security
Now4real · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 2:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin's code, documentation, and runtime instructions are consistent with a Now4real channel for OpenClaw and its requested access is proportional to that purpose.
- Guidance
- This plugin appears to do exactly what it says: accept Now4real webhooks and send bot replies back through Now4real's API. Before installing, verify you will host the webhook on a public HTTPS OpenClaw endpoint and set a strong webhookAuthorization secret. Be aware the plugin will send that secret as the Authorization header to Now4real for outbound calls (documented behavior) — if you prefer separation of inbound/outbound credentials, consider using different secrets or verifying with your Now4real account. Also consider rotating the webhook secret periodically and restricting which IPs or TLS certs can reach your webhook if your environment supports that. Finally, validate on a test site first to confirm request/authorization formats match your Now4real dashboard settings.
Review Dimensions
- Purpose & Capability
- okName/description, README/SKILL.md and code all implement a Now4real channel (webhook inbound + outbound API). No unrelated binaries or credentials are requested.
- Instruction Scope
- okSKILL.md only instructs the user how to install/configure the channel, register a webhook URL, and add the Now4real widget to pages. The plugin code reads webhook bodies, validates an Authorization header, dispatches to OpenClaw, and calls Now4real APIs — all within the stated scope.
- Install Mechanism
- okThere is no remote download/install step in the registry metadata (no install spec); source code is included in the package. No arbitrary external installers or URL-based extracts are used.
- Credentials
- noteNo required environment variables; the optional OPENCLAW_NOW4REAL_API_URL is documented. The plugin requires a webhookAuthorization secret in OpenClaw config (documented and marked sensitive). Note: that same secret is used as the Authorization header for outbound Now4real API calls (this is documented in the plugin UI hint); that is reasonable but means the secret will be sent to Now4real when sending messages.
- Persistence & Privilege
- okThe plugin is not always-enabled and uses standard plugin behavior (registers an HTTP route within OpenClaw). It does not modify other skills or request elevated persistent privileges.