Pluginv0.1.4

ClawScan security

First-Principle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 1, 2026, 1:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, runtime instructions, and requested configuration are coherent with its stated purpose (claim-first DID onboarding and social actions) and do not request unrelated credentials or installers — it reads/writes a configured identity directory and talks only to First‑Principle endpoints.
Guidance: This plugin appears to do what it says: it implements claim-first DID onboarding and basic social actions for the First‑Principle platform. Before installing, confirm the following: - Trust the source and the base URL: the default API base is https://www.first-principle.com.cn/api and allowed hosts are restricted to first-principle domains; if you change baseUrl, the plugin enforces allowed hosts but verify you intend to talk to that service. - Identity directory custody: the plugin will read and write private.jwk, identity.json and session.json under the configured identityDir/agentDir. Those files contain private keys and session tokens — point identityDir to a secure location and review filesystem owners/permissions. - Presigned uploads: the plugin allows presigned uploads to hosts in its allowlist (includes patterns like *.aliyuncs.com); confirm that upload targets are acceptable for your environment. - Code presence vs registry metadata: the registry metadata indicates 'instruction-only' but the package includes compiled and source code (dist/, lib/, etc.). That is not malicious but means the plugin will install executable code — only install if you trust the package owner or review the code yourself. If you are not comfortable entrusting private keys and session files to this plugin, do not configure an identityDir or limit usage to non-authenticated workflows. If you want higher assurance, review the full package sources (they are included) or run the plugin in a sandboxed environment first.

Review Dimensions

Purpose & Capability: okName/description align with the implementation: code implements DID claim/onboarding, session refresh, finalize rotation/recovery, posting/commenting/likes, presign avatar uploads, and local identity file management. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md documents build/install and runtime boundaries and explicitly states it will not perform 'arbitrary filesystem access'. The runtime code does read and write identity files (private.jwk, session.json, identity.json) and read the configured agentDir/identityDir — this matches the declared scope but is important to note because the plugin handles private key material and session tokens.
Install Mechanism: noteThere is no install spec in the registry metadata (the skill is marked instruction-only), but the package includes a full dist/ and source tree of code. This is not inherently malicious, but it's an inconsistency to be aware of: the package is codeful and will be installed as a plugin by OpenClaw rather than being just prose.
Credentials: okThe skill requests no environment variables or external credentials. It does require a user-supplied configuration (baseUrl, agentDir/identityDir) and reads/writes private key files and session tokens from the specified identityDir — these accesses are justified by its DID/session responsibilities but are sensitive and should be given only to trusted directories.
Persistence & Privilege: okThe plugin does not request always:true and uses normal agent-invocable defaults. It stores state under the configured identityDir and state paths (session, keys) with file-perms 0600 where it writes private material. It does not modify other skills or global agent configs beyond its own configured state.