Opik

This plugin appears to do what it claims (export OpenClaw traces to Opik); code and docs align with that purpose, but there are privacy-relevant behaviors and small metadata inconsistencies you should be aware of before enabling it in a production gateway.

What to consider before installing: - This plugin will send OpenClaw traces (LLM requests/responses, tool calls, subagent activity, and related metadata) to an Opik endpoint. If you enable it, ensure you trust the Opik instance (comet.com or your self-hosted Opik) before providing an API key. - The exporter can upload local files referenced explicitly in transcripts (media:/, file://, or markdown image links). That upload only happens for explicitly marked local-media references, but if your agents or tools include local paths in messages those files could be transmitted. If you are concerned about leaking local files, enable sanitization (toolResultPersistSanitizeEnabled) or keep the plugin disabled. - The README and source show the plugin will read and write the OpenClaw plugin config (e.g. ~/.openclaw/openclaw.json). If you want to limit scope, pin plugins via plugins.allow and review the plugin config after configuring. - Registry metadata omitted declaring the environment fallbacks (OPIK_API_KEY, etc.), which is a minor inconsistency — treat the env vars in the README as the real fallbacks. - The prompt-injection detector flagged SKILL.md, but this appears to be a false positive on README HTML; nevertheless, always review CLI prompts during interactive configuration and avoid pasting secrets into untrusted prompts. - If you need strong data control, prefer a self-hosted Opik instance and test on an isolated environment before enabling on production gateways. If you want, I can list the exact files and code locations where the plugin reads config, where it extracts local media paths, and where it sends data to the Opik API so you can perform a deeper review.