clawthority

This looks like a real authorization plugin, but its documentation overstates the default protection: code allows unrecognized tools in open mode even though the README says they are blocked.

Treat this as a security-sensitive plugin. If you install it, run it in closed mode for production, carefully register all tool/action classes, review npm install/build scripts, protect any Slack/Telegram credentials, and secure the audit log. Do not rely on the README’s open-mode claim that unknown sensitive actions are blocked unless the implementation is corrected.