Openclaw Interaction Bridge

The plugin's code, declared env var, and runtime behavior are consistent with its stated purpose (bridging agent state, approvals, and notifications to a local Snarling display), but there are a few documentation/implementation mismatches and operational details you should review before installing.

This plugin is internally coherent with its stated purpose, but review and take these precautions before installing: - Source and provenance: the registry entry's Source/Homepage fields are empty; prefer installing from an official/trusted repository (or audit the included code) rather than an unknown origin. - Set OPENCLAW_APPROVAL_SECRET explicitly (strong secret) instead of relying on the generated UUID; verify Snarling will send that secret in callback JSON bodies. - Audit the gateway HTTP callback handlers (approval/notification callbacks and any stats endpoints) to ensure they require the approval secret and do not accept unauthenticated requests. If the code exposes stats endpoints without auth, that could leak usage information. - Confirm the WebSocket 'wake' behavior is acceptable: the external device can trigger agent resumes. If you need stricter controls, restrict which hosts can talk to the gateway or firewall the gateway ports so only the trusted companion device can reach them. - Note the docs say the tool blocks but the implementation returns immediately and uses TaskFlow/webhook resume; test the behavior with your workflows so you understand timing and UX. - If you plan to target a different host/port, prefer configuring through a vetted config mechanism; the plugin currently requires editing source constants (SNARLING_URL / CALLBACK_BASE_URL), which is fine but error-prone. If you want higher assurance, provide the full callback-handler code (the truncated portions) so it can be checked that incoming webhooks are validated and that there are no unexpected outbound network calls beyond localhost.