Openclaw Plugin
WarnAudited by ClawScan on May 10, 2026.
Overview
The plugin’s governance purpose is coherent and mostly disclosed, but an advertised safety control appears incomplete: CLAMP decisions are allowed without applying the constrained action, while high-risk tool details are sent to an external gateway.
Before installing, decide whether you are comfortable sending high-risk tool inputs and short output summaries to Kevros. Configure mode, apiKey, agentId, highRiskTools, and autoAttest explicitly. Do not rely on CLAMP as an enforcement control until the plugin applies the constrained action or blocks clamped calls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe unsafe actions are being automatically constrained, but a clamped high-risk action may execute unchanged.
The hook logs that a CLAMP decision is proceeding with constraints, but it does not replace the original tool input with result.applied_action or block the call. For high-risk tools such as bash, exec, write_file, or edit_file, the original action can still run.
if (result.decision === "CLAMP") { ... "CLAMP: tool=%s reason=%s (proceeding with constraints)" ... } ... return { allow: true };Do not rely on CLAMP enforcement until the plugin either mutates the tool input to the returned applied_action or blocks CLAMP decisions when mutation is not supported.
Sensitive command inputs or result snippets may leave the local environment and be processed by the Kevros gateway.
The skill openly discloses that high-risk tool inputs and output summaries are sent to an external governance gateway. This is purpose-aligned, but these fields may contain secrets, file contents, commands, or operational details.
Tool name and full input payload are sent to `POST /governance/verify` ... Tool name, a **truncated output summary (up to 500 characters)** ... are sent to `POST /governance/attest`.
Use non-sensitive test data first, restrict highRiskTools where possible, and set autoAttest to false if output summaries may contain secrets.
Installing and using the plugin without a configured key can automatically register the agent identifier with the service.
If no API key is configured, the client automatically signs up for a free-tier key and stores it in memory. This is disclosed, but it creates an identity/account relationship with the gateway on first use.
private async ensureApiKey(): Promise<void> { if (this.hasApiKey) return; await this.signup(); } ... this.post<SignupResponse>("/signup", { agent_id: agentId ?? this.agentId }, /* auth */ false); this.apiKey = res.api_key;Set an explicit API key and agentId if you want controlled identity/account handling, or avoid using the plugin if implicit signup is not acceptable.
A user may be surprised by fail-closed blocking of high-risk tools if they relied on the manifest’s advisory default.
The plugin manifest presents advisory as the default, while the runtime resolver in src/config.ts uses enforce when mode is omitted. That discrepancy can change whether high-risk tools are merely logged or blocked.
"mode": { ... "default": "advisory", ... "description": "Enforcement mode: enforce (fail-closed), advisory (log-only, recommended for evaluation), deny (block all)." }Set the mode explicitly during installation and ask the publisher to align the manifest, README/SKILL documentation, and runtime default.
It may be harder to confirm that the reviewed files match the package actually installed from npm.
The registry-level metadata lacks clear source/homepage/install provenance even though the artifacts include npm package metadata and plugin code. Static scan is clean, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Verify the npm package, repository, and version before installing, especially because this plugin receives high-risk tool inputs.