ClawHub
Code Pluginsource linkedVerified

Nextcloud Talkv2026.5.28

OpenClaw Nextcloud Talk channel plugin for conversations.

@openclaw/nextcloud-talk·runtime nextcloud-talk·by @openclaw
openclaw plugins install clawhub:@openclaw/nextcloud-talk
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codechannel:nextcloud-talksetupartifact:npm-packnpm-mirror:available
Channels
nextcloud-talk
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
nextcloud-talk
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The package is an official @openclaw Nextcloud Talk channel plugin for self-hosted webhook bot conversations, including inbound webhooks, outbound replies, reactions, setup, and account configuration.
Instruction Scope
Runtime behavior is scoped through configured Nextcloud Talk accounts, bot secrets, sender and room allowlists, group/DM policies, and optional tool/skill filters.
Install Mechanism
The artifact is a normal npm package with a plugin manifest, setup entry, runtime extension, and only zod as a pinned dependency; no install-time script or unrelated installer behavior was found.
Credentials
The webhook server defaults to binding on 0.0.0.0, which is coherent for receiving Nextcloud webhooks but exposes the listener beyond localhost unless the user configures webhookHost or network controls.
Persistence & Privilege
The plugin stores replay-deduplication state under the OpenClaw state directory and can update OpenClaw config during setup/logout to set or clear Nextcloud Talk secrets; this is purpose-aligned and disclosed by the setup/config schema.
Scan Findings in Context
[SQP-2] expected: The default 0.0.0.0 webhook bind is real, but it fits a webhook channel plugin and is mitigated by HMAC signature validation, backend-origin checks, request limits, rate limiting, and replay dedupe; it warrants configuration guidance rather than Review escalation.
[VirusTotal] expected: VirusTotal telemetry is clean, with 0 malicious and 0 suspicious engines.
[staticScan] expected: The provided static scan is clean with no suspicious patterns detected.
Assessment
Before installing, configure the Nextcloud Talk bot secret carefully and restrict who can message the agent with allowlists and group/DM policies. If this host is on an untrusted network, set webhookHost to a loopback or intended interface, use firewall or reverse-proxy controls, and expose only the webhook path needed by your Nextcloud server.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28