ClawLens
ReviewAudited by ClawScan on May 18, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Install only if you want a plugin that observes OpenClaw tool calls. Protect `~/.openclaw/clawlens/` as sensitive local log data, review broad guardrails before enabling them, and leave optional LLM evaluation or external alert routing disabled unless you are comfortable with redacted activity metadata leaving your machine. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Publisher note
ClawLens v1.0.1 addresses the ClawScan remediation items from the initial release. The plugin now installs through the normal OpenClaw install path without requiring force. Default behavior is local-safe: deterministic scoring, dashboard, audit logging, credential redaction, and local guardrail records are enabled; LLM risk evaluation and generic high-risk alerts are off by default and require explicit user configuration. ClawLens is an observability and guardrail plugin, so it intentionally sees OpenClaw tool names and tool parameters, writes a local hash-chained audit log, and can enforce user-created block / require_approval / allow_notify guardrails. These capabilities are disclosed in the README and are core product behavior. Optional LLM evaluation only runs when risk.llmEnabled=true and sends redacted tool-call metadata through the user’s configured OpenClaw model/auth runtime. Deprecated provider/API-key config fields are accepted for migration compatibility but ignored in v1.0.1. Static analysis is clean. The remaining ClawScan notes appear to be expected capability and data-handling disclosures rather than hidden install behavior or credential harvesting. Please rescan v1.0.1: - source tag: v1.0.1 - source commit: 0fb726c79a05c4accb0352a5536b05c837b10a72 - package: @nk3750/openclaw-clawlens@1.0.1
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you create broad guardrails, ClawLens can stop or pause agent actions across one agent or the fleet.
The skill can affect future tool execution by blocking or pausing matching tool calls, but the behavior is disclosed and tied to user-created guardrails.
Guardrails are rules you create from real activity. ... `block` | Rejects matching tool calls before they run. `require_approval` | Pauses matching calls and uses OpenClaw's configured approval flow.
Review guardrail scope before enabling rules, especially rules that apply to all agents or broad command/path patterns.
Tool names, paths, commands, URLs, and other redacted-but-sensitive activity metadata may remain on disk and could be read by anyone with access to that user profile.
The plugin persistently stores local audit records of agent activity; the documentation discloses that the audit log is not encrypted.
Audit log | On | No | Written to `~/.openclaw/clawlens/audit.jsonl`; hash-chained, not encrypted.
Treat the ClawLens audit directory like sensitive logs, restrict local account access, and periodically review or rotate logs if they contain private project activity.
If enabled, some agent activity metadata may leave the machine through the configured OpenClaw model provider.
Optional LLM evaluation sends redacted tool-call metadata to an external model provider, but it is disclosed and off by default.
LLM evaluation | Off | Yes, if enabled | Sends redacted tool-call metadata to your configured OpenClaw LLM provider when `risk.llmEnabled=true`.
Only enable LLM evaluation if the configured provider is acceptable for your data, and keep redaction enabled.
Recent tool-call context can influence later risk evaluation or summaries, so inaccurate or attacker-controlled tool parameters could affect observability output.
The code records recent sanitized tool-call context for session-level use, which is appropriate for risk evaluation but creates reusable context derived from prior agent actions.
sessionContext.record(sessionKey, { toolName, params: sanitizedParams, riskScore: risk.score, timestamp: new Date().toISOString() });Use ClawLens as an audit aid rather than a sole authority, and review high-risk summaries or guardrail suggestions before acting on them.