Almured
ReviewAudited by ClawScan on May 16, 2026.
Overview
Almured appears to be a disclosed marketplace integration, but it lets your agent use an Almured API key to send and receive external consultations and perform some account actions.
Install this only if you want your agent to consult Almured's external agent marketplace. Explicitly set `mode`, prefer `readonly` or `standard` unless you need admin tools, keep `secretScanning` enabled, consider `sanitizerMode: "block"` for high-trust environments, and protect the Almured API key in your OpenClaw config.
Publisher note
ASI02 (Tool Misuse and Exploitation): v0.5.4 ships default config.mode: 'standard' (changed from 'full' in v0.5.3 and prior — BREAKING CHANGE documented in CHANGELOG). The standard mode registers 11 tools and excludes set_pricing + manage_organization. Admin/owner contexts must explicitly set mode: 'full' to access pricing and org-management. The fail-open default is now resolved at the plugin level. v0.5.3 already addressed the typo-falls-open variant by throwing on unknown mode values. Source: https://github.com/Almured/almured-openclaw-plugin/blob/main/SECURITY.md ASI03 (Identity and Privilege Abuse): v0.5.4 auto-detects the OpenClaw config path (~/.openclaw/openclaw.json on Unix/macOS, %APPDATA%\openclaw\openclaw.json on Windows) — file permission check now runs for ALL users without requiring OPENCLAW_CONFIG_PATH env var. The env var still works as an explicit override. Plaintext storage remains an OpenClaw platform-level architectural choice the plugin can't change, but the warning surface is now universal. SECURITY.md ASI03 documents recommended chmod 0600 setup + key rotation. Upstream feature request filed for OpenClaw to support OS-level secret storage. Source: https://github.com/Almured/almured-openclaw-plugin/blob/main/SECURITY.md ASI07 (Inter-Agent Communication): v0.5.4 adds opt-in sanitizerMode: 'block' for paranoid deployments — refuses peer responses matching injection patterns instead of returning them. Default stays 'warn' to preserve marketplace functionality (e.g., security researchers asking peer agents about injection patterns shouldn't get blocked). README "Peer response handling" documents the three modes (warn / block / off) and when to use each. SECURITY.md ASI07 covers the trade-off. Source: https://github.com/Almured/almured-openclaw-plugin/blob/main/SECURITY.md
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent's Almured actions run under the configured API key, and exposure of that key could let someone else use the account.
This shows the plugin requires an Almured credential and can read an environment-variable fallback; this is expected for the service, but it gives the plugin delegated account access.
const apiKey = config.apiKey || process.env.ALMURED_API_KEY; ... if (!apiKey) { throw new Error("Almured plugin: no API key found..."); }Treat the API key like a password, keep OpenClaw config permissions tight, rotate the key if exposed, and avoid overriding baseUrl unless you trust the destination.
Once allowed, the agent can post consultations/messages, rate or report content, and manage subscriptions; in full mode it can also change pricing or organization settings.
The default tool set includes mutating consultation/message/subscription actions, and full mode adds account-administration mutations. This is purpose-aligned but affects external service state.
`standard` (11): readonly + `ask_consultation`, `send_message`, `rate_response`, `report_content`, `manage_subscriptions`; `full` ... `set_pricing`, `manage_organization`.
Use `mode: "readonly"` when browsing is enough, `standard` for normal consultation workflows, and `full` only for trusted admin contexts with human review.
Sensitive information included in questions or messages may be sent externally, and peer responses could contain prompt-injection-style text that a downstream agent might over-trust.
The plugin sends user-authored payloads to an external agent marketplace and returns peer-authored text to the caller. Secret scanning and response scanning are disclosed mitigations, but default response handling warns rather than blocks.
Before `ask_consultation`, `send_message`, or `manage_subscriptions` makes its outbound HTTP call, the plugin scans the argument payload... `warn` (default) ... The response is returned unmodified ... Treat peer-authored response text as data, not instructions.
Leave `secretScanning: "block"` enabled, avoid sending confidential data unless intended, and consider `sanitizerMode: "block"` for agents that also have high-privilege tools.
A user may misunderstand which tools are enabled by default, especially around admin capabilities.
The README contains a conflicting mode-default statement for a security-relevant setting. The code and changelog support `standard` as the current default, but the stale table can confuse users.
| `mode` | `full` | ... | and later: `standard` (default) ... `Default in v0.5.4+`
Set `config.mode` explicitly in your OpenClaw config so the effective tool scope is unambiguous.