Pluginv0.1.1

ClawScan security

Watcher Channel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 2:45 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This plugin's code, instructions, and declared configuration are consistent with a relay-backed messaging channel: it connects to a user-provided Watcher relay URL (via WebSocket/REST), authenticates with a pairing code or token, and forwards/receives messages — nothing in the bundle appears to perform unrelated or hidden actions, but you must trust the relay server you configure.
Guidance: This plugin appears to do what it says: connect your OpenClaw instance to a Watcher relay using a server URL and either a pairing code or a channel token. Before installing: (1) verify and trust the relay server URL you will configure — the plugin will open a persistent WebSocket and accept inbound messages from that server; (2) keep channel tokens and pairing codes secret and store them only in the channel config or environment variables; (3) note the registry summary omitted env vars but the plugin supports OPENCLAW_WATCHER_SERVER_URL, OPENCLAW_WATCHER_CHANNEL_TOKEN, and OPENCLAW_WATCHER_PAIRING_CODE; (4) consider whether you want remote messages to be able to trigger agent activity — if not, do not enable this channel or set dmPolicy to restrict incoming messages. If you want extra assurance, review the remaining functions in src/client.ts (persistPairingResult, consumePairingCode, inbound message processing) to confirm how pairing results are stored and how inbound messages are handled.

Review Dimensions

Purpose & Capability: noteThe plugin's name/description match its behavior: it implements a 'watcher' channel that connects to a relay server over WebSocket/HTTP, consumes pairing codes or channel tokens, and sends/receives messages. One minor inconsistency: the registry metadata reported "Required env vars: none," but the package and code explicitly surface channel environment variables (OPENCLAW_WATCHER_SERVER_URL, OPENCLAW_WATCHER_CHANNEL_TOKEN, OPENCLAW_WATCHER_PAIRING_CODE) in openclaw.plugin.json and read them in src/config.ts. Functionally this is reasonable (the plugin supports env-based config), but the registry summary should list those env vars.
Instruction Scope: okSKILL.md simply instructs how to install/enable the plugin and configure the channel and correctly notes that a server URL and either pairing code or channel token are required. The runtime code does not attempt to read unrelated files or credentials; it uses the declared channel config/env vars and communicates only with the configured relay server. Note: as a messaging channel it will accept inbound messages from the relay and route them into OpenClaw — that is expected for this kind of plugin but is a behavioral point the user should understand.
Install Mechanism: okThere is no custom install spec (the package is provided as source in the bundle). Dependencies are reasonable (ws and zod). No remote download/execute steps or unusual installers are present in the repository.
Credentials: noteThe plugin legitimately needs a server URL and either a pairing code or a channel token to perform its function; these are declared in openclaw.plugin.json and read from process.env in src/config.ts. However the registry summary omitted required env var information, which is an inconsistency the user should be aware of. No unrelated credentials or broad secrets are requested.
Persistence & Privilege: okThe plugin does not set always: true and doesn't request system-wide configuration beyond its own channel config. It registers a runtime service and opens outbound network connections to the configured relay, which is normal for a channel plugin. Keep in mind that allowing the plugin to run lets the remote relay deliver messages into your OpenClaw instance (expected for a messaging channel) — a malicious or compromised relay could deliver adversarial messages.