Pluginv0.1.4

ClawScan security

Session Health Warning: Stay Sharp in Long AI Work · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 5:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, instructions, and requirements are internally consistent with its stated purpose (session-health warnings); it stores local session state on disk and appends operator/system context as designed — review the local state file and appended system-context behavior before installing.
Guidance: This plugin appears to do what it says: it monitors session signals and warns when sessions get large or risky. Before installing: (1) confirm you trust the plugin source and review the included code if you depend on strict security policies; (2) note it writes a state file (default .openclaw-session-bloat-warning-state.json) that may contain provider/model/auth-profile metadata and token counters — move that file to a safe path via config.stateFilePath or tighten filesystem permissions if needed; (3) be aware the plugin appends operator-facing system context and can emit synthetic replies, which will change the prompt material the agent sees — if you require immutable system prompts, avoid installing or disable those hooks; (4) the optional session_bloat_status tool returns the stored JSON snapshot — control who can invoke tools in your agent so that diagnostics aren't exposed to untrusted callers. If you want extra assurance, inspect the state file contents after a test run and/or run the plugin in a sandboxed environment first.
Findings: [system-prompt-override] expected: The SKILL.md and plugin intentionally append operator/system context (appendSystemContext / synthetic replies). The pattern detector flagged this as a system-prompt-override pattern, but here it appears to be a legitimate capability (the plugin adds diagnostics into system context). Still, review appended content because any plugin that mutates system context can affect agent behavior.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the code observes llm_input/llm_output events, computes signals and decisions, appends diagnostics to system context, provides pre/post compaction messages, and exposes an optional status tool. There are no unrelated env vars, binaries, or external endpoints required.
Instruction Scope: noteSKILL.md and runtime hooks stick to the declared purpose (warning and diagnostics). The plugin intentionally appends operator-facing system context and synthetic replies (before_agent_reply, before_prompt_build, before_compaction/after_compaction). Because it mutates system/assistant-visible context, you should be aware this changes prompt content the agent sees (this is expected for this plugin).
Install Mechanism: okNo remote install/download URLs or package installers are embedded in the registry metadata; the skill is instruction-only for installation via local checkout or ClawHub. The distributed code is included in the bundle and contains no network retrievals or obfuscated installers.
Credentials: noteThe plugin requests no environment variables or credentials. It does persist runtime signals including provider, model, auth profile, token counts and session identifiers to a local JSON state file (default: .openclaw-session-bloat-warning-state.json). Storing these runtime details is proportionate to the stated purpose but could contain sensitive metadata — consider relocating the state file or restricting its filesystem permissions.
Persistence & Privilege: notealways is false and the plugin is user-invocable (normal). The plugin reads/writes a local state file and registers an optional tool (session_bloat_status) that returns that state as JSON when invoked — expected for diagnostics, but be mindful that the tool exposes stored session signals if called.