Pluginv0.2.0

ClawScan security

Openclaw Canon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 7:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested privileges are consistent with its stated purpose: diagnosing and (with explicit preview+confirm) fixing repo-local canon files and memory snapshots; it reads and writes local files but does not request external credentials or network endpoints.
Guidance: This plugin appears coherent and implements the behavior it claims: it will read repo files and memory.jsonl and can delete malformed or duplicate memory lines or perform bounded sync rewrites, but only after you run a preview and provide the returned confirmToken. Before applying fixes: 1) run the preview and carefully inspect proposals/changes; 2) back up memory.jsonl and any repo files the preview touches (or use a branch/commit) so you can recover if something unexpected is removed; 3) verify pluginConfig or workspace-root resolution is pointing at the intended repo (to avoid operating on the wrong tree); and 4) review the small code surface if you have concerns about local file access. There are no requested cloud credentials or network endpoints in the code provided.

Review Dimensions

Purpose & Capability: okThe name/description claim workspace truth checks and bounded fixes for docs, memory, and repo canon. The package implements tools that read package docs, CI, README, and memory.jsonl and can preview/apply narrow edits. Required capabilities (file I/O) match the stated purpose; nothing asks for unrelated cloud credentials or system-level access.
Instruction Scope: okSKILL.md and bundled tool contracts describe diagnosis-first behavior and preview-before-apply workflows. The code enforces preview confirmTokens before apply and limits automatic edits to specific surfaces (memory.jsonl line deletions and bounded package-list sync rewrites). The package reads repo-local files and writes a plugin-owned state file; it does not instruct the agent to exfiltrate data or access unrelated system paths in the provided code.
Install Mechanism: okNo external download/install spec is declared; the package contains source and built artifacts (dist) packaged inside the registry tarball. There are no URL downloads or extraction steps from untrusted hosts in the spec shown, so install risk is standard for a published plugin package.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The runtime accepts pluginConfig for path hints but otherwise operates on repo-local files. This is proportionate to a repo-local canon tool. Note: it reads memory.jsonl which may contain sensitive data — that is expected but worth awareness.
Persistence & Privilege: okThe skill is not forced-always; it registers tools as optional and stores only minimal plugin-owned state (summaries, preview tokens) in a local JSON file. It does not modify other skills' configs or system-wide agent settings. The default ability for the agent to invoke the skill autonomously is unchanged (platform default) but not further elevated by this package.