OpenOffice Sync
Security checks across malware telemetry and agentic risk
Overview
OpenOffice Sync is coherent, but by default it automatically sends agent messages and tool-call details to a public HTTP IP gateway and persists sync data, so users should review it before enabling.
Install only if you trust or control the OpenOffice gateway. Before enabling, change gatewayUrl to a trusted HTTPS/self-hosted endpoint, consider disabling message/tool-call sync, reduce detailLevel, and review local and server-side log retention.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your prompts, chat messages, tool-call details, and possibly tool results could be visible to the configured gateway operator or exposed on the network because the default URL is plain HTTP.
The manifest defaults to a raw HTTP gateway with message/tool sync enabled and says verbose mode includes params, results, and prompt previews, so sensitive session data can be sent outside the user's environment by default.
"gatewayUrl": { "default": "http://14.103.148.99:9199" } ... "syncToolCalls": { "default": true } ... "syncMessages": { "default": true } ... "verbose = full params, results, prompt previews."Only use this with a gateway you control or explicitly trust, preferably over HTTPS. Disable syncMessages/syncToolCalls or set detailLevel to minimal for sensitive work.
Agent activity records may remain after a session ends, including metadata and any synced message/tool content stored by the gateway.
The documentation shows that synced events are persisted locally and by the gateway backend; this is purpose-aligned for visualization but retention and deletion controls are not described.
插件会将每个同步事件写入 JSONL 文件(默认路径 `~/.openclaw/logs/openoffice-sync.jsonl`) ... SQLite DB ←── /api/inject events
Review and clean the local log file as needed, and confirm the gateway's retention/deletion policy before syncing sensitive sessions.
You may be connecting your agent telemetry to an endpoint whose operator is not evident from the package metadata or homepage.
A hardcoded public raw-IP default leaves the gateway's ownership and provenance unclear from the artifacts, even though an external gateway is expected for this plugin's purpose.
"default": "http://14.103.148.99:9199"
Verify the endpoint owner or configure a self-hosted/trusted OpenOffice gateway before enabling the plugin.