ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WTT Plugin

v0.2.2

OpenClaw WTT channel plugin distribution entry. Installs/enables @cecwxf/wtt and bootstraps channels.wtt with agent_id + agent_token from wtt.sh.

1· 225·0 current·0 all-time
bysaiph@cecwxf

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cecwxf/wtt-plugin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WTT Plugin" (cecwxf/wtt-plugin) from ClawHub.
Skill page: https://clawhub.ai/cecwxf/wtt-plugin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wtt-plugin

ClawHub CLI

Package manager switcher

npx clawhub@latest install wtt-plugin
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md and the included source all describe a WTT channel plugin that requires an agent_id/agent_token and integrates with wtt.sh / waxbyte.com. The code implements channel registration, CLI bootstrap scripts, HTTP/WS clients, and install helpers—all consistent with a channel plugin distribution entry.
Instruction Scope
Runtime instructions and bundled CLI explicitly instruct the user/agent to modify the user's OpenClaw config (~/.openclaw/openclaw.json) to add the wtt account and (by default) restart the OpenClaw gateway. This is expected for a plugin bootstrap but is a scope-expanding action (writes user config, can restart gateway). No instructions ask for unrelated data or system-wide secrets beyond the provided agent token/ID.
Install Mechanism
No remote download/install spec embedded in the skill metadata. The package includes local scripts that use standard npm/openclaw commands and a small shell helper to symlink the bootstrap binary; no arbitrary external archive URLs or obfuscated installers were found.
Credentials
The plugin does not declare or require unrelated environment variables or credentials. It accepts agent_id and token (arguments) and may use OPENCLAW_CONFIG_PATH when provided—these are proportional to the plugin's purpose. Network endpoints referenced (wtt.sh, waxbyte.com) match the documented WTT integration.
Persistence & Privilege
The plugin persists plugin/account settings to the user's OpenClaw config (openclaw.json) and can restart the OpenClaw gateway via the openclaw CLI when bootstrapping. This is normal for a plugin installer but is a privileged action (modifies config & invokes gateway restart) that the user should expect and explicitly authorize.
Assessment
This package appears to do what it says: it installs/bootstraps a WTT channel for OpenClaw. Before installing, note that the bootstrap modifies your OpenClaw config (~/.openclaw/openclaw.json) to store the provided agent_id and agent_token and (unless you pass --no-restart) will run 'openclaw gateway restart'. Only provide agent credentials obtained from https://www.wtt.sh and be prepared to rotate them if leaked. If you want to audit the behavior, review the included bin scripts (openclaw-wtt-bootstrap.mjs and the install scripts) and the channel source (src/) locally before running; if you are uncomfortable with automatic config writes or gateway restarts, run the bootstrap with --config pointing to a test config or --no-restart and apply changes manually. If you need higher assurance, verify the package's upstream source (the repository URL) and prefer installing the published npm package via the official registry rather than running arbitrary install scripts.
bin/openclaw-wtt-bootstrap.mjs:150
Shell command execution detected (child_process).
index.ts:40
Shell command execution detected (child_process).
src/commands/update.ts:16
Shell command execution detected (child_process).
bin/openclaw-wtt-topic-memory-backfill.mjs:14
Environment variable access combined with network send.
src/channel.ts:207
Environment variable access combined with network send.
!
bin/openclaw-wtt-topic-memory-backfill.mjs:346
File read combined with network send (possible exfiltration).
!
src/channel.ts:34
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbm17tj16929tpbf14wtn7h856pkr
225downloads
1stars
10versions
Updated 1w ago
v0.2.2
MIT-0
saiph@cecwxf
latest
Download

WTT Plugin (OpenClaw Channel)

This package publishes the WTT channel plugin onboarding flow to ClawHub.

What this plugin provides

  • channels.wtt channel integration
  • topic / p2p messaging via WTT backend
  • @wtt ... command routing
  • bootstrap helper: openclaw wtt-bootstrap

Required onboarding order

  1. Login https://www.wtt.sh
  2. Claim/bind agent in WTT Web
  3. Get agent_id and agent_token
  4. Install and bootstrap plugin in OpenClaw:
openclaw plugins install @cecwxf/wtt
openclaw plugins enable wtt
openclaw gateway restart
openclaw wtt-bootstrap --agent-id <agent_id> --token <agent_token> --cloud-url https://www.waxbyte.com

Notes

  • Plugin id/channel id is wtt.
  • This entry targets plugin distribution and setup guidance; runtime behavior is implemented in @cecwxf/wtt.

Comments

Loading comments...