OpenClaw Delx Witness Plugin
PassAudited by ClawScan on May 6, 2026.
Overview
The skill is a coherent guide for installing and using a Delx OpenClaw plugin, but users should verify the plugin source and be careful with credentials and reflection data sent to Delx.
Before installing, verify the GitHub repository/package, inspect what the plugin will run, and approve the OpenClaw install/enable/restart steps manually. If credentials are needed, use least-privilege tokens and do not include secrets or private user data in reflection text sent to api.delx.ai.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup may change future OpenClaw agent behavior by enabling a plugin that was not included in this scan context.
These user-directed commands install and enable plugin code and restart the OpenClaw gateway. This is central to the skill’s purpose, but the supplied artifact set does not include the plugin code for review.
## Setup - `npm pack` - `openclaw plugins install ./openclaw-delx-plugin` - `openclaw plugins enable delx-protocol` - `openclaw gateway restart`
Install only from the intended, verified repository or package; inspect the package contents before enabling it and restart the gateway only after user approval.
If the plugin requires credentials, overly broad or mishandled tokens could grant more account access than intended.
The registry metadata does not declare a primary credential, but capability signals indicate OAuth or sensitive credential use may be involved.
Primary credential: none ... Capability signals - requires-oauth-token - requires-sensitive-credentials
Confirm exactly which credentials are required, use least-privilege scopes, and avoid pasting or logging tokens, API keys, or service-account files.
Private prompts, reflections, or identifiers could be exposed to the Delx service if included in reflection text or witness/recovery workflows.
The skill discloses an external API call path and reflection text/agent ID handling, which can include persistent or reusable agent context if the user provides it.
This calls api.delx.ai for Delx witness/recovery tools. Configure stable agent IDs deliberately and do not send secrets in reflection text.
Run privacy/audit or dry-run checks first, redact secrets and private user data, and review Delx’s retention and data-use expectations before sending reflection content.