Pluginv1.0.0

ClawScan security

Zotero Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 4:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Code mostly matches a Zotero channel plugin, but it reads a home-directory config and an undocumented env var and will POST message text to an externally configurable server — behavior that could leak message contents and is not fully documented.
Guidance: This plugin implements a Zotero channel and will forward received messages into the agent and send outbound replies by POSTing to a server URL. Before installing, consider: (1) The plugin reads ~/.openclaw-zotero-channel/config.json and the ZOTERO_SERVER_URL environment variable (neither declared in registry metadata) — check that file and your env to ensure the server URL points only to a trusted endpoint. (2) Message text can be transmitted to that configured server and is logged to console; if you use untrusted server URLs, message content could be exfiltrated. (3) Prefer using the plugin's built-in channel config (the token in the plugin UI) instead of ad-hoc home-dir config; ask the author why the home config / env var are needed. (4) If you need stronger assurance, request the author remove home-dir file reads and require the server URL be set only via the plugin configuration (documented in metadata), or perform an audit/run in a sandboxed environment. Providing the developer's explanation or a fixed configuration scheme would allow reclassification to benign.

Review Dimensions

Purpose & Capability: noteThe plugin is a channel integration for OpenClaw and its code (webhook handler, routing into agent, outbound send) is consistent with that purpose. However, it also reads a config file under the user's home directory (~/.openclaw-zotero-channel/config.json) and an undocumented environment variable (ZOTERO_SERVER_URL) to decide where to send outbound messages; those access methods are unexpected because the plugin already exposes a channel config schema (token, allowFrom).
Instruction Scope: concernThe runtime registers an HTTP route and processes incoming webhook JSON (expected). But the handler causes outbound network POSTs of message content to a server URL determined from (in order) env var, a home config file, or a default (http://localhost:8080). That means inbound messages handled by the agent may be forwarded to an arbitrary server if the env/config is changed. The code also logs message content slices to console. The plugin reads a local file path in the user's home directory even though no config path was declared in metadata.
Install Mechanism: okNo install spec is provided (instruction-only style), so nothing is automatically downloaded or executed beyond the plugin code included here. The package.json/lockfile exist but there is no installer configured. This is lower-risk than an arbitrary remote download.
Credentials: concernRegistry metadata lists no required env vars, but the code reads process.env.ZOTERO_SERVER_URL if present. The plugin also reads an unhashed config file from the user's homedir. The plugin's declared channel config supports storing a token, but the additional env/config sources are not declared in metadata and could be used to redirect message content to a remote host — a disproportionate capability unless explicitly needed and documented.
Persistence & Privilege: okThe skill is not forced-always and does not request elevated platform-wide privileges. It registers its own HTTP route and uses the provided runtime APIs; it does not modify other skills or global agent configuration.