ClawHub
Code Pluginsource linkedVerified

Google Chatv2026.5.28

OpenClaw Google Chat channel plugin for spaces and direct messages.

@openclaw/googlechat·runtime googlechat·by @openclaw
openclaw plugins install clawhub:@openclaw/googlechat
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codechannel:googlechatsetupartifact:npm-packnpm-mirror:available
Channels
googlechat
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
googlechat
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The package is a Google Chat channel plugin for OpenClaw that sends messages, uploads attachments, handles reactions, and processes authenticated Google Chat webhooks; those capabilities align with the stated channel purpose.
Instruction Scope
The message action accepts media paths or URLs for upload, but that is disclosed as media support and is routed through OpenClaw media helpers with size limits and host-provided local media controls.
Install Mechanism
The artifact is an official trusted @openclaw npm package with source-linked metadata, no npm lifecycle install scripts, and ordinary Google API/auth dependencies.
Credentials
The plugin needs Google service account credentials, Google API network access, webhook handling, and optional user-directed media file reads; these are proportionate for a Google Chat integration.
Persistence & Privilege
No unbounded persistence or privilege escalation was found; runtime state is limited to channel webhook registration, status, and bounded auth/certificate caches while the channel is active.
Scan Findings in Context
[SQP-2] expected: The media upload path is real, but it is a visible Google Chat attachment feature rather than hidden exfiltration; local reads depend on host media access parameters and configured limits.
[suspicious.exposed_secret_literal] unexpected: The static finding appears to be a false positive on a dynamic bearer-token field used for webhook verification, not a hardcoded secret literal.
Assessment
Install this only if you intend OpenClaw to send and receive Google Chat messages using a Google service account. Keep Google scopes and Chat spaces limited, prefer allowlists for DMs and groups, and restrict media file roots so agents can upload only files you expect to share.
dist/channel.runtime-Ds0MRKqf.js:575
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28