ClawHub
Code Pluginsource linked

talkv1.0.11

talk channel plugin for OpenClaw

@nevis/talk·runtime talk·by @nevis
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:@nevis/talk
Latest release: v1.0.11Download zip

Capabilities

Tags
executes-codekind:channelchannel:talkartifact:npm-packnpm-mirror:available
Channels
talk
configSchema
Yes
Executes code
Yes
HTTP routes
0
Plugin kind
channel
Runtime ID
talk

Compatibility

Built With Open Claw Version
>=2026.5.7
Min Gateway Version
>=2026.5.7
Plugin Api Range
>=2026.5.7
Plugin Sdk Version
>=2026.5.7
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The WebSocket talk-channel purpose is coherent, but the code declares media support disabled while implementing local file reads and WebSocket media upload, and declares direct chat only while handling group traffic.
!
Instruction Scope
README and manifest do not clearly disclose arbitrary local path/file:// media reads, ignored mediaLocalRoots, group handling, or the NEVIS_JWT and SANDBOX_NAME environment requirements; package identity is also inconsistent between @nevis/talk and README install text.
Install Mechanism
The package is a normal npm-pack OpenClaw channel plugin with no install/postinstall script found, but it installs dependencies and runs executable plugin code.
!
Credentials
The plugin connects to a default ws:// remote server, sends credentials in WebSocket headers, logs the NEVIS_JWT value at startup, and can transmit base64 file contents to the server.
!
Persistence & Privilege
No separate host persistence was found, but the plugin starts a long-running reconnecting WebSocket client and can upload local files during outbound messages or reply formatting without user confirmation.
Scan Findings in Context
[SDI-1] unexpected: Confirmed capability mismatch: media is declared false while fs.readFile and uploadMedia can send local file contents over the WebSocket.
[SDI-4] unexpected: Confirmed capability mismatch: chatTypes lists only direct, but inbound parsing and routing support isGroup and ChatType group.
[SQP-2] unexpected: Confirmed arbitrary local media path handling; attachment paths and file:// references are read and uploaded without allowlist or confirmation.
[SC4] expected: The ws dependency is expected for a WebSocket channel, but the reported vulnerable version range should be updated before use.
What to consider before installing
Review before installing. Only use this plugin if you trust the publisher and configured WebSocket server with chat contents, environment credentials, and any local files the agent may reference. Prefer a patched build that declares its true capabilities, restricts uploads to approved roots, asks before local file upload, avoids logging NEVIS_JWT, declares group support accurately, and uses a secure wss:// endpoint.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/nevis-io/g-channel
Commit
f4838de8beb1
Tag
main
Provenance
No
Scan status
suspicious

Tags

latest
1.0.11

@opensino/talk

OpenClaw channel plugin for talk — connects OpenClaw to a WebSocket-based messaging server.

Installation

openclaw plugins install clawhub:@opensino/talk

Configuration

{
  "channels": {
    "talk": {
      "enabled": true,
      "serverUrl": "ws://your-server/v3/openclaw/talk"
    }
  }
}

License

MIT