v1.3.2

Openclaw Plugin

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:22 AM.

Analysis

This appears to be a coherent security-scanning plugin, but users should understand that it can inspect and block agent messages, store quarantine metadata, use LLM classification, and rely on an external hopeid package.

GuidanceThis skill is appropriate to consider if you want an IDS-style OpenClaw security plugin. Before installing, review the hopeid dependency and setup command, decide whether auto-scan or strict blocking should be enabled, configure only trusted LLM and Telegram providers, and periodically review or clean quarantine records.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Auto-scan — Scan messages before agent processing ... BLOCK (strictMode): ... → ABORT (no recall, no agent) ... WARN (non-strict): → Inject <security-alert>

The plugin can alter or stop message flow before an agent acts. This is core IDS behavior, but it can affect availability or task completion if thresholds produce false positives.

User impactLegitimate messages may be blocked or annotated with security warnings when auto-scan or strict mode is enabled.

RecommendationEnable auto-scan and strict mode intentionally, test thresholds with expected traffic, and keep human review available for false positives.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"dependencies": { "hopeid": "^0.1.0" }

The plugin relies on an external hopeid package through a semver range, so future dependency updates could change core IDS behavior.

User impactInstalling or updating the dependency may introduce behavior not visible in these plugin artifacts.

RecommendationReview the hopeid package provenance, consider pinning an exact dependency version, and avoid running setup commands from sources you do not trust.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

openclaw.plugin.json

"telegramAlerts": { "type": "boolean", "default": true, "description": "Send Telegram alerts for blocked messages. Requires Telegram channel configured in OpenClaw (channels.telegram.botToken)" }

Telegram alerting uses existing OpenClaw Telegram channel credentials when configured.

User impactBlocked-message metadata may be sent through the configured Telegram bot and chat.

RecommendationConfirm the bot token and chat ID are trusted, restrict who can access the alert channel, and disable Telegram alerts if they are not needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

index.ts

const result = await api.invokeTool('llm-task', { ... input: { message: message.substring(0, 2000), source: context.source ?? 'unknown'

When the llm-task classifier path is used, message text is passed to another plugin/model route for classification.

User impactSensitive content in scanned messages may be sent to the configured model/provider or classifier route.

RecommendationUse trusted LLM providers or endpoints, and disable semantic or llm-task classification if message contents should not leave the local/plugin boundary.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

index.ts

const recordsFile = path.join(baseDir, 'records.json'); ... fs.writeFileSync(recordsFile, JSON.stringify(records, null, 2));

The fallback quarantine manager persists detection records locally, including metadata such as sender, risk, patterns, content hash, and status.

User impactQuarantine metadata and review decisions can persist across sessions and may influence later security handling.

RecommendationSet an appropriate quarantine directory and retention process, review trust/approval decisions carefully, and avoid sharing the quarantine directory unnecessarily.