Foundry
WarnAudited by ClawScan on May 10, 2026.
Overview
Foundry is transparent about being a self-writing extension, but it asks for broad authority to install unreviewed plugin code, modify agent capabilities, and persist learned context across future sessions.
Only install Foundry if you are comfortable with a development agent that can create and modify OpenClaw capabilities. Review the external npm package first, run it in a development profile, disable automatic learning for sensitive work, and require manual review before any generated code, hook, extension, marketplace install, or self-modification is applied.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it could load external code that has broad control over OpenClaw behavior before the user has reviewed the actual implementation.
The provided artifact set contains only SKILL.md, but the skill directs installation of an external npm plugin that will be enabled and loaded into the gateway. For a self-writing extension, this unreviewed supply-chain step is material.
openclaw plugins install @getfoundry/foundry-openclaw ... Download the plugin from npm ... Enable it automatically ... Restart the gateway to load
Review the npm package and repository source before installing, pin a trusted version if possible, and avoid enabling it automatically in sensitive environments.
A mistaken or overbroad agent action could create or modify tools and hooks that affect future agent behavior or the local OpenClaw environment.
The tool catalog grants broad mutation authority over extensions, hooks, tools, and skills. The artifact does not clearly bound which projects or directories can be changed, how changes are reversed, or how risky generated behavior is contained.
`foundry_implement` | Research + implement a capability end-to-end ... `foundry_write_extension` ... `foundry_write_hook` ... `foundry_add_tool` ... `foundry_add_hook`
Use only with explicit per-change approval, inspect generated code before installation, and restrict it to a disposable or development OpenClaw profile.
The extension may change its own abilities over time, making future behavior harder to predict or audit.
The skill explicitly supports self-modification and persistent capability creation. Even if intended, this is high-impact behavior that needs strong scoping and review controls.
**Self-Modify** — Add new capabilities to itself ... `foundry_extend_self` | Add new capability to Foundry itself ... Crystallization → High-value patterns become permanent capabilities
Disable or avoid self-extension unless you can audit every generated change, and keep version-controlled backups of configuration and generated artifacts.
Sensitive task context or incorrect patterns could be retained and influence future work without the user noticing.
The skill defaults to automatic learning from agent activity and reuses learned patterns in later conversations. The artifact does not clearly define retention, deletion, redaction, or trust boundaries for this stored context.
`autoLearn` ... `true` | Learn from agent activity automatically ... Records error + context ... Patterns → Injected as context in future conversations
Turn off autoLearn for sensitive projects, review stored learnings regularly, and require a clear deletion or reset workflow before use.
Users may place more trust in generated code and self-modification than is warranted by the reviewed artifacts.
These are strong safety claims for a high-impact self-writing system, but the supplied artifact set includes no implementation to verify that these controls are actually enforced.
Foundry validates all generated code before deployment ... Blocked: `child_process`, `eval`, `~/.ssh`, `~/.aws` ... Sandboxed ... Reviewed: You approve before any code is written to disk
Treat the security claims as unverified until the actual plugin code and enforcement mechanisms are audited.