Pluginv0.2.0

ClawScan security

OpenClaw Kitchen Sink · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is largely a coherent, credential‑free fixture that matches its stated purpose, but there are a few surprises (hidden unicode control characters detected in the SKILL.md and CI/release references to tokens) that warrant manual inspection before enabling in any real environment.
Guidance: This package appears to be what it says: a credential‑free 'kitchen sink' fixture that registers many plugin surfaces for testing. Still, before installing or enabling it: 1) Inspect SKILL.md (and README.md) for any invisible/control characters or unexpected instructions (open in a hex viewer). 2) Review the generated hooks and handlers (they will receive many platform events) and only enable the plugin in non-production or sandboxed agents first. 3) Do not supply CI/publishing secrets (CLAWHUB_TOKEN, NODE_AUTH_TOKEN, etc.) to the runtime — references to those are for repository CI workflows, not runtime. 4) If you plan to enable the plugin broadly, run it in a restricted environment and review network activity (to confirm the fixture behaves offline as claimed). If you find hidden characters or inexplicable external calls in the runtime code, treat the package as untrusted and do not enable it.
Findings: [unicode-control-chars] unexpected: A unicode control character pattern was detected in SKILL.md. This is not expected for a simple readable README/instructions and could indicate hidden/invisible characters inserted to alter rendering or attempt prompt-injection/obfuscation. It may be benign (editor artifact) but should be inspected manually (open SKILL.md in a hex or control-character aware editor).

Review Dimensions

Purpose & Capability: okThe name/description ('kitchen sink' fixture) matches the included code: generated runtime that registers many provider/tool/channel/hook surfaces and a bundled image asset. It requires no env vars or binaries and the manifest marks it as a disabled-by-default fixture. The heavy use of openclaw plugin-sdk imports and many registered surfaces is expected for a compatibility/fixture project.
Instruction Scope: noteSKILL.md instructs running npm tasks (install, sync:surface, test, pack:check). Those are normal developer/CI steps but involve network access (npm install) and the sync script reads the installed openclaw package to regenerate fixtures. The runtime instructions claim not to call external services or read secrets, and the code shown uses local assets and deterministic behavior. However, the pre-scan detected unicode-control-chars in the SKILL.md (possible obfuscation/prompt-injection vector) — you should open the file in a hex/visible-control-char viewer to confirm nothing hidden is present.
Install Mechanism: okNo install spec in the registry entry (instruction-only), so nothing will be auto-downloaded or executed by the platform installer. The repo contains package.json and scripts for dev/CI use; those are standard and do not indicate any unusual remote download patterns in the manifest provided.
Credentials: noteThe skill declares no required env vars or credentials and the plugin manifest lists providers with authMethods: ['none']. That aligns with 'credential-free'. That said, repository documentation (AGENTS.md) mentions CI/Release workflows which use CLAWHUB_TOKEN and GitHub OIDC (permissions.id-token) for publishing; those are for maintainers/CI and are not required for runtime, but you should not provide such tokens to the plugin at runtime. No evidence the runtime reads other env vars or secret files.
Persistence & Privilege: notealways is false and openclaw.plugin.json has enabledByDefault: false. The plugin registers a very large set of hooks/providers — expected for a kitchen-sink fixture — which means if you enable it the plugin will be wired to many platform events (hooks like before_model_resolve, before_prompt_build, agent lifecycle events, tool calls, etc.). This is consistent with its purpose, but gives the plugin broad visibility into agent activity while enabled, so treat enabling as granting broad observational capability.