ClawHub
Code Pluginsource linked

Packagev1.0.27

Q-Claw common plugin shell for OpenClaw

qianyi-claw-test·runtime q-claw·by @ljqdh
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:qianyi-claw-test
Latest release: v1.0.27Download zip

Capabilities

Tags
executes-code
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
q-claw

Compatibility

Built With Open Claw Version
2026.4.11
Min Gateway Version
2026.4.11
Plugin Api Range
>=2026.4.11
Plugin Sdk Version
2026.4.11
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Q-Claw routing + auth + forwarder) match the code and included SKILL.md files. The code implements auth flows, product/scene routing, version checks and skill-sync behavior described in the README and openclaw.plugin.json.
Instruction Scope
SKILL.md files define strict routing and reply-handling rules for the managed skills (q-wms, q-erp). Runtime code performs network calls to a configured backend, and resolves identity/context from tool context. The SKILL.md does not explicitly state that the plugin will read agent session registries or persist auth/skill files on the host, but the code does perform those actions (see identity.readSessionRegistry and skill-sync/read/write functions).
Install Mechanism
There is no install script or remote download in the manifest (instruction-only install spec). Code files are bundled in the package; nothing in the package attempts to fetch or execute arbitrary remote archives during install.
Credentials
The package declares no required env vars and only optionally reads QCLAW_AUTH_STATE_FILE. It does, however, read and write files in the user's home (~/.openclaw/...) and can read an agentDir sessions file if provided in the runtime context. Network calls are made to a configurable defaultAuthBaseUrl (present in config files). These accesses are consistent with an auth/forwarding plugin, but they are sensitive (persisted tokens, session registries).
Persistence & Privilege
The plugin persists auth state and managed SKILL.md files under the user's home (e.g., ~/.openclaw/q-claw/q-claw-auth-state.json and ~/.openclaw/skills/<skillId>/SKILL.md) and maintains in-memory caches. It is not always-enabled (always:false) and does not request elevated platform-wide privileges, but it does gain persistent presence through these files which is consistent with its function.
Assessment
This package appears to do what it says: route requests, run an auth/device-code flow, forward tool calls to a backend, and persist auth/skill files under ~/.openclaw. Before installing, consider: 1) The plugin will write auth state and managed skills to your home directory (under ~/.openclaw). 2) It may read an agent sessions file if provided via the runtime context (agentDir), which could surface channel/tenant/user identifiers — confirm you trust the runtime context and session files. 3) The provided config files use HTTP backend URLs (http://...), which would send tokens and data unencrypted unless you change to HTTPS — prefer configuring a secure (https) backend. 4) No external credentials are requested by the skill manifest, but the plugin will contact whatever defaultAuthBaseUrl is configured; verify that URL points to a trusted backend. If you need higher assurance, ask the publisher for their canonical backend endpoints and for HTTPS support, and review the included files in a secure environment.
index.js:89
Environment variable access combined with network send.
test/auth-state.test.js:20
Environment variable access combined with network send.
test/product-profile.test.js:30
Environment variable access combined with network send.
test/service-sync.test.js:81
Environment variable access combined with network send.
!
index.js:69
File read combined with network send (possible exfiltration).
!
test/auth-state.test.js:147
File read combined with network send (possible exfiltration).
!
test/product-profile.test.js:439
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
BL00817@bitbucket.rd.800best.com/scm/qlink/q-claw
Commit
78cb79db4370
Tag
codex/plugin-skill-boundary-optimization
Provenance
No
Scan status
pending

Tags

latest
1.0.27

q-claw Plugin

q-claw 是 Q-Claw 的公用插件壳源码,按 scene 前缀路由到产品配置。

当前事实:

  • 运行时安装包:qianyi-claw-test / qianyi-claw-prod
  • Tool name:q-claw
  • 统一 Plugin ID:q-claw
  • 默认产品映射:wms.* -> Q-WMSerp.* -> Q-ERP
  • 默认托管 skill:wms.* -> q-wmserp.* -> q-erp
    • 如需覆盖,使用 managedSkillIdByProductmanagedSkillIdBySceneFamily

当前职责

Plugin 只负责:

  • 产品路由与鉴权发起
  • 版本检查
  • 后端统一转发
  • 最小运行保护

Plugin 不负责:

  • WMS/ERP 业务逻辑
  • DTO 字段解释
  • 固定回复整形
  • 主管类 follow-up 状态机

代码分层

  • index.js:工具主流程编排 + 产品 profile 路由
  • lib/auth-api.js:授权与后端 HTTP 调用
  • lib/identity.js:渠道身份与会话上下文解析
  • lib/locale.js:locale 归一化与解析