Back to skill
Skillv0.4.6
ClawScan security
Openclaw Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 8:01 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin's code, docs, and declared requirements are internally consistent with a governance/attestation purpose, but it sends tool inputs/outputs to an external gateway and defaults to enforcement behavior that can block tool execution if the gateway is unavailable — both are security/privacy risks you should consider before installing.
- Guidance
- This plugin appears to do what it says (governance + attestation), but it relies on an external gateway and will transmit tool inputs and (truncated) outputs to that service. Before installing: 1) Decide whether you trust https://governance.taskhawktech.com with tool inputs/outputs (these may include secrets). 2) If you are cautious, set mode to 'advisory' during evaluation and set autoAttest:false to avoid post-execution transmissions. 3) Consider supplying your own KEVROS_API_KEY (avoid implicit auto-signup) or hosting a private gateway if available. 4) Audit the npm package publisher/repository provenance (who published the package, is the repo trustworthy). 5) Limit highRiskTools to the minimum set needed. If you need the plugin to never block operations, explicitly configure mode='advisory' or avoid enabling the plugin in production until you trust the gateway.
Review Dimensions
- Purpose & Capability
- okName/description (governance, decisioning, attestation) match the code and SKILL.md. The client talks only to the declared gateway (https://governance.taskhawktech.com) and the plugin registers hooks/tools that implement the stated functionality. Primary credential KEVROS_API_KEY is appropriate for an external governance API.
- Instruction Scope
- concernThe plugin sends the full tool name and the full input payload to POST /governance/verify before execution, and it sends a truncated (up to 500 chars) output summary plus governance metadata to POST /governance/attest after execution. That means potentially sensitive inputs/outputs are transmitted to a third party. The README/SKILL.md note that payloads are SHA-256 hashed 'on receipt' at the gateway, but raw data is still transmitted in the request. The plugin also auto-signs up for an API key when none is configured, causing an implicit network call on first use.
- Install Mechanism
- okDistribution and install are via an npm package (@kevros/openclaw-plugin) and the bundle contains readable source and compiled dist files. No downloads from obscure hosts or archive extraction steps are present. package.json/lock show standard dev deps only.
- Credentials
- noteOnly one primary credential (KEVROS_API_KEY) is used, which fits the purpose. Minor inconsistency: SKILL metadata lists requires.env as empty while primaryEnv is set to KEVROS_API_KEY; the code supports auto-provisioning a key if none is supplied. Auto-provisioning will cause a POST /signup and will cache the returned key in memory (not persisted).
- Persistence & Privilege
- notealways:false and no attempt to modify other plugins' configs. However default enforcement-mode behavior (code default 'enforce') will fail-closed: if the gateway is unreachable the plugin can block high-risk tool calls, creating an availability/denial-of-service dependency on the external service. The plugin also registers tools and hooks which the agent can call autonomously (this is expected behavior for a plugin).