ClawHub
Code Pluginsource linked

agentcopv1.0.0

OWASP LLM Top 10 runtime monitor for OpenClaw — zero config, automatic from install

@shaymizuno/agentcop-plugin·runtime agentcop·by @shaymizuno
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:@shaymizuno/agentcop-plugin
Latest release: v1.0.0Download zip

Capabilities

Tags
executes-codechannel:agentcop
Channels
agentcop
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
agentcop

Compatibility

Built With Open Claw Version
2026.3.24-beta.2
Plugin Api Range
>=2026.3.24-beta.2
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (runtime monitor for prompt injection, credential exfiltration, supply-chain/SSRF, excessive agency) match the implemented hooks (onMessageReceived, onMessageSend, onToolCall, onToolResult, onHttpRequest) and local detectors. No unrelated environment variables, binaries, or cloud credentials are requested.
Instruction Scope
Runtime instructions and code limit external network I/O to a single explicit command (/security badge) that calls agentcop.live (declared in package.json). The plugin inspects every message, tool call/result, and outgoing HTTP request — which is expected for a monitor but means it will see any sensitive content that flows through the agent. It does not appear to read files, environment variables, or perform any automatic external calls.
Install Mechanism
No install script or remote download present. Source is included directly; there are no third-party install steps or archived payloads. The only external host in code is agentcop.live (explicitly declared).
Credentials
The plugin requires no environment variables or credentials. Its detectors look for credential-like strings in data flowing through the agent (appropriate for detection).
Persistence & Privilege
always is false (not force-included). The plugin registers hooks to inspect runtime events — expected for a monitor. It does not modify other skills or system-wide configs. It may send alerts to channels and write to the agent log per its config (silentMode available).
Scan Findings in Context
[ignore-previous-instructions] expected: This phrase (and similar prompt-injection strings) appears in lib/detectors.js as a detection signature. The pre-scan flagged it, but its presence in detector patterns is deliberate and appropriate.
[you-are-now] expected: A common jailbreak pattern included in the detector pattern bank; expected for a prompt-injection monitor.
[system-prompt-override] expected: Another detector signature (e.g., 'system prompt:' / 'override your') used to detect injection. Presence is intentional.
Assessment
This plugin appears to do what it claims: it inspects all messages, tool calls, tool results, and outgoing HTTP requests and alerts on patterns that indicate injection, leaked credentials, SSRF/supply-chain calls, or excessive agency. Before installing, consider: (1) the plugin will see any sensitive data that passes through the agent (this is intentional for monitoring). If you handle secrets in conversations, be aware the detector inspects them for patterns; it does not send raw content out but it will log/deliver alerts containing detection metadata. (2) The only network call is to agentcop.live and only on the explicit /security badge command; if you trust that badge endpoint you can use it, otherwise avoid invoking the badge command. (3) The package contains tests that may try to call the badge endpoint if run — tests are not executed automatically at install but could perform network I/O in CI. (4) If you want quieter behavior, enable silentMode in the plugin config (logs only). Overall the code is coherent with its stated purpose; if you have strict data-flow or regulatory constraints, review how the agent handles sensitive inputs before enabling the plugin in production.
tests/compliance.test.js:97
Shell command execution detected (child_process).
tests/compliance.test.js:164
Dynamic code execution detected.
!
tests/badge.test.js:51
File read combined with network send (possible exfiltration).
!
tests/compliance.test.js:18
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/trusthandoff/agentcop
Commit
c62b64567a1d
Tag
main
Provenance
No
Scan status
clean

Tags

latest
1.0.0