Openclaw Plugin Rides

The plugin's code, instructions, and configuration are consistent with a ride‑tracking plugin that optionally syncs Gmail receipts; the biggest risk is the expected, clearly-documented Gmail OAuth token stored in plaintext on the local machine.

This plugin appears to be what it claims: a rides expense tracker with optional Gmail receipt sync. The main security consideration is the Gmail OAuth token: connecting Gmail gives a token with read access to your entire inbox, and the plugin stores that token in plaintext at ~/.openclaw/rides/tokens.json (with file-permission mitigation). Before enabling Gmail sync consider these steps: - Only enable Gmail sync on a machine you control. Prefer a dedicated Gmail account for receipts if you want to limit exposure. - Exclude ~/.openclaw/rides/tokens.json from any cloud backup or file sync service (add it to backup ignore rules). Treat that file like a secret. - After connecting, periodically review connected apps in Google Account > Security and revoke access if not needed. If your machine is compromised, run /rides_disconnect and revoke the app in Google settings. - If you’re uncomfortable granting Gmail access, use manual logging or screenshot parsing instead (both supported). Screenshot parsing requires a Google AI key if you enable it; the plugin documents this. - When editing ~/.openclaw/openclaw.json, follow the instructions to merge rather than replace existing config to avoid accidentally removing other plugins/tools. If you want extra assurance, review the included source files (gmail/oauth.ts and gmail/api.ts) locally to confirm token handling, or run the plugin in a sandboxed environment / throwaway VM before enabling it on a primary machine.