ClawHub
Code Pluginsource linked

Octov1.0.13

Octo channel plugin for OpenClaw

octo·runtime octo·by @caster-q
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:octo
Latest release: v1.0.13Download zip

Capabilities

Tags
executes-codechannel:octosetupartifact:npm-packnpm-mirror:available
Channels
octo
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
octo
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.4
Min Gateway Version
>=2026.4.15
Plugin Api Range
>=2026.4.15
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The package purpose is an Octo messaging channel and most network, token, WebSocket, file, media, and setup behavior fits that purpose; however the exposed octo_management tool includes create/update/delete group and thread actions, member removal, GROUP.md/THREAD.md updates, and voice-context deletion without an artifact-visible confirmation gate.
!
Instruction Scope
The skill documentation includes defensive prompt-injection guidance, but runtime code also injects remotely fetched persona prompts into system context and injects group/thread markdown into prompt context, creating high-trust instruction surfaces controlled outside the local package.
Install Mechanism
Installation is a normal OpenClaw npm-pack channel plugin with setupEntry and onStartup activation; no hidden shell installer or child_process execution was found in the package entrypoints, and most static scan hits are dependency or example-code artifacts.
!
Credentials
The channel legitimately needs network and bot-token access, but it also accepts outbound media from arbitrary local paths or HTTP(S) URLs and downloads inbound media/files into local temp paths that may be exposed to the agent, which is broader than simple messaging.
!
Persistence & Privilege
The plugin stores GROUP.md/THREAD.md cache files under the OpenClaw workspace, keeps refresh timers for persona prompts and heartbeats, and supports onBehalfOf persona operation; these are purpose-aligned but privileged and under-scoped for a general channel plugin.
Scan Findings in Context
[SDI-2] unexpected: Confirmed: uploadAndSendMedia accepts raw local file paths and HTTP(S) URLs, then uploads them as outbound media. Media sending is expected, but arbitrary local-path and URL fetch authority is overbroad for an LLM-facing channel.
[SDI-2] expected: Confirmed: inbound files/media are downloaded to temp files and sometimes surfaced as inline content or local paths. This supports media handling, but the local path exposure is a real agent-ingestion risk.
[SDI-2] unexpected: Confirmed in the bundled skill docs: user bot-management APIs include create, update, delete, and token retrieval endpoints. The docs are related to Octo administration but exceed ordinary channel messaging scope.
[SQP-2] unexpected: Confirmed: octo_management directly exposes destructive or high-impact actions such as delete-thread, remove-members, metadata updates, and voice-context-delete without a visible two-step confirmation in that tool.
[SQP-2] expected: Confirmed: production source maps are shipped. This is not malicious by itself and is common in packages, but it does expose implementation detail.
[SQP-3] expected: Confirmed: top-level onBehalfOf config allows persona-clone operation where the bot acts for a human grantor. The feature is disclosed, but consent/audit controls are not visible in the manifest.
[SQP-3] expected: Confirmed: per-account onBehalfOf repeats the same persona/impersonation capability. This is coherent with multi-account configuration, but duplicates the sensitive entry point.
[SSD-1] unexpected: Confirmed: persona_prompt is fetched from the Octo server and composed into system prompt context. Persona behavior is a feature, but raw remote free-form system prompting is a material trust-boundary concern.
[SSD-1] expected: Partly mitigated by nearby documentation: owner full control is limited to DM and paired with credential-protection and social-engineering warnings, but it still grants broad admin semantics.
[SSD-1] unexpected: Confirmed in documentation and runtime: GROUP.md/THREAD.md content is used as prompt context. Runtime wraps it as context rather than the same system section used for persona prompts, but the documentation says it must be followed, so it remains a prompt-control concern.
What to consider before installing
Install only if you trust the Octo server, bot owner/grantor, and group/thread admins. Use least-privilege bot tokens, avoid enabling onBehalfOf unless impersonation is explicitly intended, and treat octo_management actions as admin-capable because they can change groups, members, threads, and prompt-affecting markdown.
node_modules/ajv/dist/compile/index.js:88
Dynamic code execution detected.
node_modules/ajv/dist/compile/jtd/parse.js:50
Dynamic code execution detected.
node_modules/ajv/dist/compile/jtd/serialize.js:49
Dynamic code execution detected.
node_modules/ajv/lib/compile/index.ts:165
Dynamic code execution detected.
node_modules/ajv/lib/compile/jtd/parse.ts:69
Dynamic code execution detected.
node_modules/ajv/lib/compile/jtd/serialize.ts:64
Dynamic code execution detected.
node_modules/har-validator/node_modules/ajv/dist/ajv.bundle.js:426
Dynamic code execution detected.
node_modules/har-validator/node_modules/ajv/dist/ajv.min.js:2
Dynamic code execution detected.
node_modules/har-validator/node_modules/ajv/lib/compile/index.js:125
Dynamic code execution detected.
node_modules/ajv/scripts/get-contributors.js:11
Environment variable access combined with network send.
dist/src/api-fetch.js:634
File appears to expose a hardcoded API secret or token.
node_modules/aws4/README.md:57
File appears to expose a hardcoded API secret or token.
node_modules/conf/dist/source/index.js:309
File appears to expose a hardcoded API secret or token.
node_modules/cos-nodejs-sdk-v5/sdk/base.js:3420
File appears to expose a hardcoded API secret or token.
node_modules/cos-nodejs-sdk-v5/sdk/cos.js:90
File appears to expose a hardcoded API secret or token.
node_modules/request/lib/oauth.js:34
File appears to expose a hardcoded API secret or token.
skills/octo-bot-api/SKILL.md:478
File appears to expose a hardcoded API secret or token.
!
skills/octo-bot-api/SKILL.md:332
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/Mininglamp-OSS/openclaw-channel-octo
Commit
ab4c7bf9dfcb
Tag
v1.0.13
Provenance
No
Scan status
suspicious

Tags

latest
1.0.13

openclaw-channel-octo

ClawHub

OpenClaw channel plugin for Octo. Connects via WebSocket for real-time messaging.

Prerequisites

  • Node.js >= 22 (OpenClaw >= 2026.4.15 requires Node 22)
  • OpenClaw installed and configured (npm i -g openclaw)
  • A bot created via BotFather in Octo (send /newbot to BotFather)

Install

This plugin is published exclusively on ClawHub for fresh installs:

openclaw plugins install clawhub:octo

Configure a bot account

After installing, use OpenClaw's standard channels add flow.

Non-interactive (recommended for scripts and CI):

openclaw channels add --channel octo \
  --account my_bot \
  --bot-token bf_your_token_here \
  --http-url https://your-server.example/api

Interactive (prompts for token and API URL):

openclaw channels add

After the account is written, restart the gateway (openclaw gateway run --force) or wait for the next auto-reload — the plugin watches channels.octo and reconnects on changes.

Configuration

Bot accounts are stored in ~/.openclaw/openclaw.json under channels.octo.accounts:

{
  "channels": {
    "octo": {
      "enabled": true,
      "accounts": {
        "my_bot": {
          "enabled": true,
          "botToken": "bf_your_token_here",
          "apiUrl": "https://your-server.example/api"
        }
      }
    }
  }
}

Configuration fields per account:

  • botToken (required): Bot token from BotFather (bf_ prefix)
  • apiUrl (required): Octo server REST API base URL (e.g. https://your-server/api). The default http://localhost:8090/api only works for a local Octo dev server with the standard /api mount.
  • wsUrl (optional): WebSocket URL. Auto-detected from apiUrl if omitted.
  • cdnUrl (optional): CDN base URL for media files
  • requireMention (optional): Only respond when @mentioned in groups
  • historyLimit (optional): Group chat history message limit (default: 20)

What it does

  1. Registers the bot with the Octo server via REST API
  2. Connects to WebSocket for real-time message receiving
  3. Auto-reconnects on disconnection
  4. Sends a greeting to the bot owner on connect
  5. Dispatches incoming messages to OpenClaw's message handler
  6. Supports typing indicators and read receipts

Architecture

index.ts is a standard OpenClaw plugin entry. When loaded:

  • api.registerChannel(octoPlugin) registers the Octo channel runtime
  • The bundled setupEntry exposes defineBundledChannelSetupEntry(...) so openclaw channels add works without first enabling the plugin
  • setupWizard + setup adapters on octoPlugin cover both interactive and CLI-flag setup paths
  • Configuration is read from channels.octo in OpenClaw's config; the plugin hot-reloads when that block changes

Disconnect

To disconnect a bot, send /disconnect to BotFather in Octo. This invalidates the IM token and kicks the WebSocket connection.