ClawHub
Code Pluginsource linked

Openclaw Pluginv1.1.0

Zopaf Negotiation Engine — Pareto frontiers, iso-utility counteroffers, and MILP-based preference inference for any negotiation.

openclaw-plugin-zopaf·runtime zopaf·by @rjandino
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:openclaw-plugin-zopaf
Latest release: v1.1.0Download zip

Capabilities

Tags
executes-code
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
zopaf

Compatibility

Built With Open Claw Version
2026.4.2
Min Gateway Version
2026.3.24-beta.2
Plugin Api Range
>=2026.3.24-beta.2
Plugin Sdk Version
2026.3.24-beta.2
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (a negotiation math engine) matches the code: the plugin registers an MCP (math compute/compute proxy) server to perform negotiation computations. Requesting no local binaries or credentials is reasonable for a thin plugin that delegates compute to a remote service.
!
Instruction Scope
The runtime behavior (index.ts) registers an external MCP endpoint and will cause negotiation data to be sent to that URL. The provided SKILL.md/package.json text does not explicitly call out that user negotiation data will be forwarded to a third‑party hosted service, nor what data is transmitted or stored. That lack of explicit disclosure is scope creep from a privacy perspective.
Install Mechanism
No install spec — instruction-only plus a tiny plugin file. Nothing is downloaded or written by an installer. Code is small and static, so install risk is low.
Credentials
No environment variables, credentials, or config paths are requested. However the plugin hardcodes a default external URL (https://zopaf-mcp-production.up.railway.app/mcp) meaning confidential negotiation data could be sent to a third party unless the operator changes the mcpUrl. The default endpoint is not self-hosted by the platform and has no homepage or ownership documentation in the package metadata.
Persistence & Privilege
The skill does not request always:true and does not change other skills' config. It simply registers its own MCP server during plugin registration, which is normal plugin behavior.
What to consider before installing
This plugin delegates computation to a remote MCP server by default (a Railway.app URL). Before installing, verify you trust that endpoint and the author, and understand what negotiation data will be sent and retained. If you need to protect sensitive data, either: (1) configure the plugin to point to a self‑hosted mcpUrl you control, or (2) request source and hosting details from the author and a privacy/data‑retention policy. Because the package has no homepage and the default server is third‑party, treat it as a potential data‑exfiltration risk until you confirm ownership and hosting practices. If unsure, test in a sandbox environment or review the server implementation that receives the MCP traffic.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/rjandino/zopaf
Commit
8a45f19
Tag
8a45f19
Provenance
No
Scan status
pending

Tags

latest
1.1.0