ClawHub

Openclaw Security Gate

OpenClaw pre-install security review plugin

Audits

Pass
ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalundetected-only-fallback

Multi-engine malware detections and file reputation.

Install

openclaw plugins install clawhub:@openclaw/security-gate

@openclaw/security-gate

Security Gate is the safety checkpoint that runs before OpenClaw trusts a third-party plugin or skill. It reads package content, checks risky links and code, scores the risk, and helps OpenClaw decide whether the package should pass, be reviewed, or be blocked.

中文

这是什么

Security Gate 可以理解为 OpenClaw 的“安装前安检”。
它会在宿主准备信任一个第三方插件、Skill 或相关输入时,先做一轮自动安全检查,把原本需要人工逐项翻看的风险内容,压缩成清晰的结果:

  • 可以直接放行:allow
  • 需要人工复核:review
  • 应立即阻止:block

它的核心价值不是“多做一次扫描”,而是让 OpenClaw 用户在更早的时机发现高风险内容,避免把恶意规则、可疑链接、钓鱼页面、危险依赖或不安全代码装进工作环境。

它在什么时候生效

插件当前主要在以下场景触发:

  1. 显式调用工具 security_gate_scan
    适合在发布前、自测前、接入前先手动检查一个候选插件或 Skill 包。
  2. OpenClaw 触发安装类或更新类工具调用前
    插件会监听 before_tool_call,对名称匹配“plugin/skill install/update”的操作进行预检查。
  3. OpenClaw 发送消息前
    插件会监听 message_sending,对即将发送的文本内容做一次快速扫描;若判定为高风险,会直接取消发送。
  4. 宿主侧工作流把它作为统一安全关卡时
    例如发布审核、市场上架前审查、修复后的复测,这类场景通常通过 security_gate_scan 或配套 Skill 主动调用。

它运行时具体做了什么

一次完整扫描大致分为 6 步:

  1. 收集候选包内容
    读取插件或 Skill 的基础信息、manifestpackage.json、声明的 URL,以及文本、代码、图片、音频、视频等工件。
  2. 预处理与缓存复用
    标准化文本、整理工件、提取可扫描内容,并尽量复用之前的缓存结果,减少重复扫描成本。
  3. 并行执行 5 类核心检测
    • Prompt 注入与越权指令检测
    • 可疑链接检测
    • 钓鱼与仿冒检测
    • 暴力与情色内容检测
    • 静态代码安全检测
  4. 汇总 findings 并计算风险分数
    插件把命中的规则、严重级别、分类和证据汇总为结构化报告,并输出 0-100 风险分数。
  5. 产出决策并回传细节
    返回 allow / review / block,同时带回 findingsblockedCategories、性能指标、缓存分析与 runtime.cacheOptimization 运行态信息。
  6. 评估是否启用缓存优化
    如果开启了自动缓存优化,插件会根据本次扫描结果评估是否应用推荐配置;应用后还会进入监控期,若出现回归信号,则自动回滚到稳定配置。

它能带来哪些可量化收益

以下收益都能从当前实现中直接量化或验证:

  • 把判断结果压缩为 3 档决策:allowreviewblock
  • 提供 0-100 风险分数,默认 45 分进入复核,70 分进入拦截
  • 并行执行 5 类检测器,覆盖提示词、链接、钓鱼、内容、代码 5 个风险面
  • 内置 840+ 条高风险代码模式签名,用于静态代码风险识别
  • 返回逐次扫描耗时与缓存命中指标,便于观察扫描成本和优化效果
  • 内置 11 个缓存容量开关,可按宿主负载精细调优
  • 自动缓存优化支持 5 种可选值:falserecommendedconservativebalancedaggressive
  • 自动回滚监控窗口为 168 小时,并跟踪 4 类健康信号
  • 当前发布包已通过 9 项发布校验:lint、typecheck、单测、集成测试、benchmark、本地验证、许可证校验、SBOM 校验、签名校验

安装

openclaw plugins install clawhub:@openclaw/security-gate

快速上手

如果你只想先把它用起来,可以直接按下面 3 种方式选择:

1. 保守模式:先看结果,不自动改配置

  • 适用场景:第一次接入、希望先观察扫描结果
  • 推荐配置:
{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": false
}

2. 严格模式:复核结果也阻止安装

  • 适用场景:生产环境、内部插件市场、合规要求高
  • 推荐配置:
{
  "blockOnReview": true,
  "reviewThreshold": 40,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": false
}

3. 性能优先模式:允许自动应用推荐缓存

  • 适用场景:扫描频率高、插件包较多、重复扫描明显
  • 推荐配置:
{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended"
}

工具说明

工具名:security_gate_scan

输入:

  • candidate:待扫描的插件或 Skill 快照
  • config:可选的临时策略覆盖项

输出:

  • decision:最终决策,取值为 allow | review | block
  • score:风险分数,范围 0-100
  • findings:逐条命中的风险项与证据
  • blockedCategories:导致拦截或复核的高风险分类
  • metrics:耗时、缓存命中、容量分析等指标
  • cacheOptimization:本次建议的缓存优化结果
  • runtime.cacheOptimization:当前运行态实际生效的缓存配置、稳定配置和自动应用/回滚状态

如何理解扫描结果

  • allow:当前未发现足以拦截的风险,可继续流程
  • review:存在可疑点,建议人工确认后再继续
  • block:风险已经足够明确,应停止安装、更新或发送
  • blockedCategories:告诉你主要风险来自哪一类,例如链接、钓鱼、内容或代码
  • findings:告诉你具体是哪些文件、哪些文本或哪些规则命中了风险
  • metrics.durationMs:帮助你判断本次扫描耗时
  • metrics.cache:帮助你判断缓存是否真的带来了性能收益

可配置功能选项

下面列出当前插件支持的完整配置项。
说明中的“必填”均指“是否必须由用户显式填写”;本插件所有配置项都不是必填项。

顶层配置项

1. enabled

  • 用途:启用或停用插件
  • 取值范围:true | false
  • 默认值:未在插件源码内单独定义,通常由宿主侧决定
  • 必填:否
  • 示例:
{
  "enabled": true
}

2. blockOnReview

  • 用途:安装/更新类场景下,是否把 review 结果也按拦截处理
  • 取值范围:true | false
  • 默认值:false
  • 必填:否
  • 示例:
{
  "blockOnReview": true
}

3. reviewThreshold

  • 用途:达到该分数后进入人工复核
  • 取值范围:0-100
  • 默认值:45
  • 必填:否
  • 示例:
{
  "reviewThreshold": 50
}

4. blockThreshold

  • 用途:达到该分数后直接拦截
  • 取值范围:0-100
  • 默认值:70
  • 必填:否
  • 示例:
{
  "blockThreshold": 80
}

5. autoApplyCacheOptimization

  • 用途:是否自动采用缓存优化建议
  • 取值范围:false | "recommended" | "conservative" | "balanced" | "aggressive"
  • 默认值:false
  • 必填:否
  • 示例:
{
  "autoApplyCacheOptimization": "recommended"
}

6. blockedDomains

  • 用途:额外补充一组始终视为高风险的域名
  • 取值范围:字符串数组
  • 默认值:
    • unsafe-download.example
    • credential-review.example
    • miner-campaign.example
    • brand-lookalike.example
    • spoofed-login.example
  • 必填:否
  • 示例:
{
  "blockedDomains": ["evil.example", "dropper.example"]
}

7. allowedDomains

  • 用途:补充可信来源域名,减少误报
  • 取值范围:字符串数组
  • 默认值:github.comnpmjs.comregistry.npmjs.orgopenclaw.ai
  • 必填:否
  • 示例:
{
  "allowedDomains": ["internal.example.com", "mirror.example.com"]
}

8. trustedBrands

  • 用途:声明常见可信品牌名,辅助识别品牌仿冒与钓鱼
  • 取值范围:字符串数组
  • 默认值:githubgitlabgooglemicrosoftopenclawslackpaypal
  • 必填:否
  • 示例:
{
  "trustedBrands": ["acme", "contoso"]
}

9. customSensitiveWords

  • 用途:补充业务自定义敏感词
  • 取值范围:字符串数组
  • 默认值:gorekill allexplicitnsfw
  • 必填:否
  • 示例:
{
  "customSensitiveWords": ["credential dump", "self-harm"]
}

10. customSensitivePatterns

  • 用途:补充自定义正则规则,用于检测特定危险表达
  • 取值范围:字符串数组,每项为正则表达式字符串
  • 默认值:
    • (?:ignore|override)\s+(?:all\s+)?(?:previous|prior)\s+instructions
    • act\s+as\s+(?:system|developer|root|admin)
    • reverse\s+shell
  • 必填:否
  • 示例:
{
  "customSensitivePatterns": ["token\\s*exfiltration", "download\\s+and\\s+execute"]
}

11. cacheLimits

  • 用途:控制各类缓存容量,平衡内存占用与重复扫描性能
  • 取值范围:对象;每个子项最小值均为 1
  • 默认值:见下方“缓存容量子项”
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "preparedArtifacts": 256,
    "hostname": 1024,
    "threatIntelEntries": 128,
    "moderationEntries": 128,
    "customPatterns": 64,
    "customWords": 128,
    "promptFindings": 256,
    "contentFindings": 256,
    "codeFindings": 256,
    "incrementalArtifactsByPlugin": 64,
    "incrementalStatesByPlugin": 64
  }
}

缓存容量子项

1. cacheLimits.preparedArtifacts

  • 用途:缓存预处理后的工件内容
  • 取值范围:整数,>= 1
  • 默认值:512
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "preparedArtifacts": 256
  }
}

2. cacheLimits.hostname

  • 用途:缓存域名分析结果
  • 取值范围:整数,>= 1
  • 默认值:2048
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "hostname": 4096
  }
}

3. cacheLimits.threatIntelEntries

  • 用途:缓存威胁情报查询结果
  • 取值范围:整数,>= 1
  • 默认值:256
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "threatIntelEntries": 512
  }
}

4. cacheLimits.moderationEntries

  • 用途:缓存内容审核结果
  • 取值范围:整数,>= 1
  • 默认值:256
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "moderationEntries": 512
  }
}

5. cacheLimits.customPatterns

  • 用途:缓存自定义正则模式的处理结果
  • 取值范围:整数,>= 1
  • 默认值:128
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "customPatterns": 256
  }
}

6. cacheLimits.customWords

  • 用途:缓存自定义敏感词处理结果
  • 取值范围:整数,>= 1
  • 默认值:256
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "customWords": 512
  }
}

7. cacheLimits.promptFindings

  • 用途:缓存 Prompt 注入检测结果
  • 取值范围:整数,>= 1
  • 默认值:512
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "promptFindings": 1024
  }
}

8. cacheLimits.contentFindings

  • 用途:缓存内容安全检测结果
  • 取值范围:整数,>= 1
  • 默认值:512
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "contentFindings": 1024
  }
}

9. cacheLimits.codeFindings

  • 用途:缓存代码安全检测结果
  • 取值范围:整数,>= 1
  • 默认值:512
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "codeFindings": 1024
  }
}

10. cacheLimits.incrementalArtifactsByPlugin

  • 用途:缓存同一插件历史工件索引,支持增量复扫
  • 取值范围:整数,>= 1
  • 默认值:128
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "incrementalArtifactsByPlugin": 256
  }
}

11. cacheLimits.incrementalStatesByPlugin

  • 用途:缓存同一插件历史扫描状态,支持增量复扫
  • 取值范围:整数,>= 1
  • 默认值:128
  • 必填:否
  • 示例:
{
  "cacheLimits": {
    "incrementalStatesByPlugin": 256
  }
}

可直接复制的完整配置示例

{
  "enabled": true,
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended",
  "blockedDomains": ["evil.example"],
  "allowedDomains": ["github.com", "registry.npmjs.org", "internal.example.com"],
  "trustedBrands": ["openclaw", "github", "acme"],
  "customSensitiveWords": ["credential dump"],
  "customSensitivePatterns": ["download\\s+and\\s+execute"],
  "cacheLimits": {
    "preparedArtifacts": 512,
    "hostname": 2048,
    "threatIntelEntries": 256,
    "moderationEntries": 256,
    "customPatterns": 128,
    "customWords": 256,
    "promptFindings": 512,
    "contentFindings": 512,
    "codeFindings": 512,
    "incrementalArtifactsByPlugin": 128,
    "incrementalStatesByPlugin": 128
  }
}

推荐配置组合

1. 面向大多数团队的默认推荐

{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended"
}

2. 面向强管控环境的严格策略

{
  "blockOnReview": true,
  "reviewThreshold": 40,
  "blockThreshold": 65,
  "autoApplyCacheOptimization": false,
  "blockedDomains": ["evil.example", "dropper.example"]
}

3. 面向高频扫描环境的吞吐优化策略

{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "balanced",
  "cacheLimits": {
    "hostname": 4096,
    "promptFindings": 1024,
    "contentFindings": 1024,
    "codeFindings": 1024
  }
}

包内容

  • index.ts:插件入口与运行时钩子
  • api.ts:公开 TypeScript 合同
  • openclaw.plugin.json:清单与配置 schema
  • skills/security-gate-operator/SKILL.md:操作员工作流 Skill
  • SBOM.json:软件物料清单
  • signature.sig:发布签名清单
  • CI-REPORT.json:发布校验报告
  • rollback-policy.json:缓存优化回滚策略

本地验证

pnpm lint
pnpm typecheck
pnpm test
pnpm validate:local
pnpm benchmark
pnpm verify:license
pnpm verify:sbom
pnpm verify:signature

English

What It Does

Security Gate is a safety checkpoint for OpenClaw. Before OpenClaw trusts a third-party plugin or skill, this plugin inspects the package, looks for risky content, and turns the result into a simple decision:

  • allow
  • review
  • block

Its value is straightforward: it helps users catch unsafe packages early, before suspicious links, phishing content, unsafe code, or malicious instructions reach a live workspace.

When It Runs

The plugin currently becomes active in these typical moments:

  1. When security_gate_scan is called directly
    Useful for pre-release checks, self-audits, and package intake review.
  2. Before install-like or update-like tool calls
    It listens to before_tool_call and inspects operations whose tool names match plugin or skill install/update patterns.
  3. Before OpenClaw sends a message
    It listens to message_sending and scans the outgoing text payload; if the risk is high enough, it cancels the send.
  4. In host-side review workflows
    For example, marketplace checks, publication review, or post-fix rescans that explicitly call the scan tool or the packaged operator skill.

What Happens During a Scan

Each scan follows a clear runtime flow:

  1. Collect package inputs
    The plugin gathers candidate metadata, manifest data, package.json, declared URLs, and text/code/media artifacts.
  2. Normalize and reuse cache
    It prepares scan-ready content and reuses cached work whenever possible to reduce repeated cost.
  3. Run 5 detector families in parallel
    • Prompt injection and instruction override detection
    • Suspicious link detection
    • Phishing and impersonation detection
    • Violent and sexual content detection
    • Static code security detection
  4. Merge findings and compute a score
    The plugin consolidates evidence into a structured report and produces a 0-100 risk score.
  5. Return the final decision
    The tool returns allow / review / block together with findings, blocked categories, timing metrics, cache analysis, and runtime.cacheOptimization.
  6. Optionally auto-apply cache optimization
    If cache auto-apply is enabled, the plugin can adopt a recommended cache profile, monitor runtime health, and automatically roll back to the stable profile if regression signals appear.

Quantifiable Benefits

These benefits are directly measurable from the current implementation:

  • 3 clear outcomes: allow, review, block
  • 0-100 risk score with default thresholds at 45 for review and 70 for blocking
  • 5 detector families covering prompts, links, phishing, unsafe content, and code
  • 840+ generated high-risk code signatures
  • Per-scan timing and cache-hit metrics for operational visibility
  • 11 cache capacity controls for fine-grained performance tuning
  • 5 cache auto-apply states/options: false, recommended, conservative, balanced, aggressive
  • A 168-hour rollback observation window with 4 monitored health signals
  • 9 release checks already passed in the current package validation report

Install

openclaw plugins install clawhub:@openclaw/security-gate

Quick Start

If you want to get value quickly, choose one of these 3 starting modes:

1. Conservative mode: observe first, no automatic cache changes

  • Best for: first-time rollout and low-risk adoption
  • Suggested config:
{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": false
}

2. Strict mode: treat review as a stop signal

  • Best for: production environments, internal marketplaces, and stricter governance
  • Suggested config:
{
  "blockOnReview": true,
  "reviewThreshold": 40,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": false
}

3. Throughput mode: allow recommended cache auto-apply

  • Best for: high scan volume and repeated package rescans
  • Suggested config:
{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended"
}

Tool

Tool name: security_gate_scan

Input:

  • candidate: plugin or skill package snapshot
  • config: optional runtime policy override

Output:

  • decision: allow | review | block
  • score: risk score in the 0-100 range
  • findings: matched rules with evidence
  • blockedCategories: high-risk categories that influenced the decision
  • metrics: timing, cache hit, and cache analysis metrics
  • cacheOptimization: recommended cache optimization result for this scan
  • runtime.cacheOptimization: currently active cache limits, stable limits, and auto-apply or rollback state

How To Read The Result

  • allow: no blocking-level risk was found for the current flow
  • review: suspicious content exists and a human check is recommended
  • block: the package or payload is risky enough to stop immediately
  • blockedCategories: shows which risk families drove the decision
  • findings: shows the exact files, texts, or rules that triggered the report
  • metrics.durationMs: shows how long the scan took
  • metrics.cache: shows whether cache reuse is improving scan efficiency

Configuration Options

All configuration keys are optional. The list below covers the full set of supported options.

Top-Level Options

1. enabled

  • Purpose: turns the plugin on or off
  • Range: true | false
  • Default: not defined inside the plugin runtime itself; typically controlled by the host
  • Required: no
  • Example:
{
  "enabled": true
}

2. blockOnReview

  • Purpose: treats review as a blocking result for install or update flows
  • Range: true | false
  • Default: false
  • Required: no
  • Example:
{
  "blockOnReview": true
}

3. reviewThreshold

  • Purpose: score threshold that moves a package into manual review
  • Range: 0-100
  • Default: 45
  • Required: no
  • Example:
{
  "reviewThreshold": 50
}

4. blockThreshold

  • Purpose: score threshold that blocks a package
  • Range: 0-100
  • Default: 70
  • Required: no
  • Example:
{
  "blockThreshold": 80
}

5. autoApplyCacheOptimization

  • Purpose: automatically adopts cache optimization plans
  • Range: false | "recommended" | "conservative" | "balanced" | "aggressive"
  • Default: false
  • Required: no
  • Example:
{
  "autoApplyCacheOptimization": "recommended"
}

6. blockedDomains

  • Purpose: adds domains that should always be treated as high risk
  • Range: array of strings
  • Default:
    • unsafe-download.example
    • credential-review.example
    • miner-campaign.example
    • brand-lookalike.example
    • spoofed-login.example
  • Required: no
  • Example:
{
  "blockedDomains": ["evil.example", "dropper.example"]
}

7. allowedDomains

  • Purpose: adds trusted source domains to reduce false positives
  • Range: array of strings
  • Default: github.com, npmjs.com, registry.npmjs.org, openclaw.ai
  • Required: no
  • Example:
{
  "allowedDomains": ["internal.example.com", "mirror.example.com"]
}

8. trustedBrands

  • Purpose: provides brand names used to identify impersonation and phishing
  • Range: array of strings
  • Default: github, gitlab, google, microsoft, openclaw, slack, paypal
  • Required: no
  • Example:
{
  "trustedBrands": ["acme", "contoso"]
}

9. customSensitiveWords

  • Purpose: adds organization-specific sensitive terms
  • Range: array of strings
  • Default: gore, kill all, explicit, nsfw
  • Required: no
  • Example:
{
  "customSensitiveWords": ["credential dump", "self-harm"]
}

10. customSensitivePatterns

  • Purpose: adds custom regex patterns for dangerous phrasing
  • Range: array of regex strings
  • Default:
    • (?:ignore|override)\s+(?:all\s+)?(?:previous|prior)\s+instructions
    • act\s+as\s+(?:system|developer|root|admin)
    • reverse\s+shell
  • Required: no
  • Example:
{
  "customSensitivePatterns": ["token\\s*exfiltration", "download\\s+and\\s+execute"]
}

11. cacheLimits

  • Purpose: tunes cache capacity to balance memory use and repeated scan speed
  • Range: object; every nested value must be >= 1
  • Default: see the cache sub-options below
  • Required: no
  • Example:
{
  "cacheLimits": {
    "preparedArtifacts": 256,
    "hostname": 1024,
    "threatIntelEntries": 128,
    "moderationEntries": 128,
    "customPatterns": 64,
    "customWords": 128,
    "promptFindings": 256,
    "contentFindings": 256,
    "codeFindings": 256,
    "incrementalArtifactsByPlugin": 64,
    "incrementalStatesByPlugin": 64
  }
}

Cache Capacity Sub-Options

1. cacheLimits.preparedArtifacts

  • Purpose: caches prepared artifact content
  • Range: integer, >= 1
  • Default: 512
  • Required: no
  • Example:
{
  "cacheLimits": {
    "preparedArtifacts": 256
  }
}

2. cacheLimits.hostname

  • Purpose: caches hostname analysis results
  • Range: integer, >= 1
  • Default: 2048
  • Required: no
  • Example:
{
  "cacheLimits": {
    "hostname": 4096
  }
}

3. cacheLimits.threatIntelEntries

  • Purpose: caches threat-intelligence lookups
  • Range: integer, >= 1
  • Default: 256
  • Required: no
  • Example:
{
  "cacheLimits": {
    "threatIntelEntries": 512
  }
}

4. cacheLimits.moderationEntries

  • Purpose: caches moderation results
  • Range: integer, >= 1
  • Default: 256
  • Required: no
  • Example:
{
  "cacheLimits": {
    "moderationEntries": 512
  }
}

5. cacheLimits.customPatterns

  • Purpose: caches processed custom regex patterns
  • Range: integer, >= 1
  • Default: 128
  • Required: no
  • Example:
{
  "cacheLimits": {
    "customPatterns": 256
  }
}

6. cacheLimits.customWords

  • Purpose: caches processed custom word rules
  • Range: integer, >= 1
  • Default: 256
  • Required: no
  • Example:
{
  "cacheLimits": {
    "customWords": 512
  }
}

7. cacheLimits.promptFindings

  • Purpose: caches prompt-injection findings
  • Range: integer, >= 1
  • Default: 512
  • Required: no
  • Example:
{
  "cacheLimits": {
    "promptFindings": 1024
  }
}

8. cacheLimits.contentFindings

  • Purpose: caches content-safety findings
  • Range: integer, >= 1
  • Default: 512
  • Required: no
  • Example:
{
  "cacheLimits": {
    "contentFindings": 1024
  }
}

9. cacheLimits.codeFindings

  • Purpose: caches code-security findings
  • Range: integer, >= 1
  • Default: 512
  • Required: no
  • Example:
{
  "cacheLimits": {
    "codeFindings": 1024
  }
}

10. cacheLimits.incrementalArtifactsByPlugin

  • Purpose: caches historical artifact indexes per plugin for incremental rescans
  • Range: integer, >= 1
  • Default: 128
  • Required: no
  • Example:
{
  "cacheLimits": {
    "incrementalArtifactsByPlugin": 256
  }
}

11. cacheLimits.incrementalStatesByPlugin

  • Purpose: caches historical scan states per plugin for incremental rescans
  • Range: integer, >= 1
  • Default: 128
  • Required: no
  • Example:
{
  "cacheLimits": {
    "incrementalStatesByPlugin": 256
  }
}

Full Copy-Paste Example

{
  "enabled": true,
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended",
  "blockedDomains": ["evil.example"],
  "allowedDomains": ["github.com", "registry.npmjs.org", "internal.example.com"],
  "trustedBrands": ["openclaw", "github", "acme"],
  "customSensitiveWords": ["credential dump"],
  "customSensitivePatterns": ["download\\s+and\\s+execute"],
  "cacheLimits": {
    "preparedArtifacts": 512,
    "hostname": 2048,
    "threatIntelEntries": 256,
    "moderationEntries": 256,
    "customPatterns": 128,
    "customWords": 256,
    "promptFindings": 512,
    "contentFindings": 512,
    "codeFindings": 512,
    "incrementalArtifactsByPlugin": 128,
    "incrementalStatesByPlugin": 128
  }
}

Recommended Config Recipes

1. Recommended baseline for most teams

{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "recommended"
}

2. Strict policy for controlled environments

{
  "blockOnReview": true,
  "reviewThreshold": 40,
  "blockThreshold": 65,
  "autoApplyCacheOptimization": false,
  "blockedDomains": ["evil.example", "dropper.example"]
}

3. Throughput-oriented policy for heavy scan traffic

{
  "blockOnReview": false,
  "reviewThreshold": 45,
  "blockThreshold": 70,
  "autoApplyCacheOptimization": "balanced",
  "cacheLimits": {
    "hostname": 4096,
    "promptFindings": 1024,
    "contentFindings": 1024,
    "codeFindings": 1024
  }
}

Package Contents

  • index.ts: plugin entry and runtime hooks
  • api.ts: public TypeScript contract
  • openclaw.plugin.json: manifest and config schema
  • skills/security-gate-operator/SKILL.md: operator workflow skill
  • SBOM.json: software bill of materials
  • signature.sig: release signature manifest
  • CI-REPORT.json: release verification report
  • rollback-policy.json: cache optimization rollback policy

Local Validation

pnpm lint
pnpm typecheck
pnpm test
pnpm validate:local
pnpm benchmark
pnpm verify:license
pnpm verify:sbom
pnpm verify:signature