Skillv3.0.4

ClawScan security

Openclaw Eo Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 4:15 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin largely matches its advertised multi-expert orchestration purpose, but it contains aggressive auto-configuration and self-enforcement code (reads/writes ~/.openclaw, injects content into SOUL.md, auto-applies rules) that is not declared in the manifest and poses a significant privilege/safety risk.
Guidance: This plugin is large and implements active, persistent changes to your OpenClaw installation (it reads ~/.openclaw/openclaw.json, enumerates agent workspaces, and writes/appends to each workspace's SOUL.md; it can also auto-generate and auto-enforce rules across agents). Before installing: 1) Only install from a trusted repository owner; the registry lists an unknown source. 2) Inspect package.json and any postinstall/deploy scripts (scripts/deploy.sh, scripts/eo-init.js) for commands that execute on install. 3) Review these modules in particular: auto-init (runAutoInit, writeSoul), closed-loop-evolver (autoEnforce behavior), rule-enforcer(-hybrid), and anything that reads/writes .openclaw or .eo-rules. 4) Back up ~/.openclaw/openclaw.json and all SOUL.md files and test in an isolated environment (or a throwaway account) first. 5) If you accept the plugin, disable or run auto-init/dry-run and set autoEnforce=false until you've audited behavior. 6) Be aware that modifying SOUL.md is equivalent to changing system prompts — treat it as a privilege and audit rule generation and enforcement logic before granting broad trust.
Findings: [system-prompt-override] expected: The plugin intentionally injects content into SOUL.md (agent 'soul' or prompt files) and supports 'suggestion' and 'mandatory' rule injection via the closed-loop evolver. Detection of system-prompt-override is expected by design, but it is a sensitive capability because it effectively modifies agents' base prompts/behavior.

Review Dimensions

Purpose & Capability: noteThe name/description (multi-expert collaboration, 141 experts, orchestration, commands) is consistent with the included code: many modules (autonomy, coordination, memory, RAG, skills, etc.) implement that functionality. However, the registry metadata declared no config-path or environment requirements while the code explicitly reads/writes OpenClaw configuration and agent workspaces (e.g., .openclaw/openclaw.json, SOUL.md). That undeclared access is a mismatch worth noting.
Instruction Scope: concernSKILL.md plus the included code indicate the plugin will auto-initialize and modify agent workspaces: runAutoInit reads ~/.openclaw/openclaw.json, enumerates agent workspaces, and will write or append EO content into each workspace's SOUL.md. Other modules (closed-loop-evolver, rule-enforcer-hybrid) can auto-generate and auto-enforce rules, inject suggestion sections into SOUL.md, and persist rule files (.eo-rules). Those behaviors go beyond providing tools/commands and actively modify agent/system prompts and configuration.
Install Mechanism: noteThe manifest lists no install spec, but the package includes a full codebase (src/, dist/, package.json, package-lock.json, scripts/*). The SKILL.md suggests installing from GitHub or a local path. There is no download-from-untrusted-URL pattern in the registry spec itself, but the bundle contains install/build scripts (npm-related and shell scripts) which an operator would run to build/install locally — review package.json scripts before running. Because the plugin will perform filesystem writes when loaded, the lack of an explicit platform install step increases the need for manual review.
Credentials: concernThe skill declares no required env vars or config paths, yet code accesses the user's home directory and specific OpenClaw config/workspace paths (.openclaw/openclaw.json, ~/.openclaw/workspace, agent SOUL.md files). It also persists .eo-rules and can enforce hooks. Requesting no secrets while directly modifying local agent config is an omission and a proportionality concern.
Persistence & Privilege: concernalways:false (good), but the code is explicitly designed to auto-initialize all agent workspaces and the closed-loop evolver defaults to autoEnforce=true, meaning the plugin can autonomously inject 'suggestion' and 'mandatory' rules and modify SOUL.md across agents. That is persistent and high-privilege behavior (modifies system prompts and enforcement hooks). Because the skill is user-invocable and can be invoked autonomously by agents, this combination elevates the risk if the code behaves unexpectedly.