Simplaix Gateway

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The plugin is a coherent Simplaix Gateway policy/audit integration, but its default fail-open behavior, default allow-all fallback policy, and unauthenticated local start/stop controls need careful review.

Install only if you trust the Simplaix Gateway deployment and are comfortable sending tool activity to it. Before relying on it for safety, consider changing fail-open and catch-all-allow defaults, restrict who can run /lobster-shell commands, protect the runtime token, and manually approve any setup steps that clone code, install dependencies, or start tunnels.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Content: const child = spawn("lsof", ["-n", "-i", `:${port}`, "-t"], { stdio: ["ignore", "pipe", "ignore"] });

Destructive delete command

Warn

Finding: Documentation contains a destructive delete command without an explicit confirmation gate.
Content: rm -rf ~/.openclaw/plugins/lobster-shell

Env credential access

Critical

Finding: Environment variable access combined with network send.
Content: const gatewayUrl = (cfg.gatewayUrl ?? process.env.SIMPLAIX_GATEWAY_URL ?? "").replace(/\/$/, "");

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

High

What this means

If the Gateway is down, misconfigured, or unreachable, high-risk tools can run without the intended policy or mobile approval check.

Why it was flagged

The before_tool_call hook explicitly allows the original tool call if the Gateway policy check fails.

Skill content

// Gateway unreachable — fail-open ... evaluate failed (${String(err)}), allowing

Recommendation

Use this only if fail-open is acceptable; prefer a fail-closed mode or add monitoring/health checks before relying on it for enforcement.

ASI02: Tool Misuse and Exploitation

Medium

What this means

New or renamed high-impact tools may bypass confirmation because they fall through to the default allow rule.

Why it was flagged

The default seeded policy allows any tool that does not match a more specific rule.

Skill content

add_rule "*" "allow" "low" "Default allow for unmatched tools"

Recommendation

Review and tighten the seeded policies before relying on them; consider making unmatched tools deny or require confirmation.

ASI05: Unexpected Code Execution

High

What this means

Anyone able to invoke that command in the agent context may be able to start a long-running local process that inherits sensitive environment variables.

Why it was flagged

The registered command can be invoked without the plugin's auth requirement and starts a detached pnpm process in a configured local directory with the agent environment.

Skill content

name: "lobster-shell" ... requireAuth: false ... spawn("pnpm", ["dev:server"], { cwd: gatewayRoot, detached: true, stdio: "ignore", env: process.env })

Recommendation

Restrict command access, require explicit user approval, avoid passing the full environment, and ensure gatewayRoot points only to a trusted reviewed checkout.

ASI02: Tool Misuse and Exploitation

Medium

What this means

A misconfigured gatewayUrl or unintended command use could stop an unrelated local service listening on the same port.

Why it was flagged

The stop action terminates all local PIDs listening on the configured port, without verifying that they belong to Simplaix Gateway.

Skill content

const pids = await listPidsByPort(port); ... process.kill(pid, "SIGTERM");

Recommendation

Add process identity checks and confirmation before stopping processes, and limit this command to trusted local users.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

An agent following the guide may run mutable remote project code, install packages, modify local configuration, and expose a local Gateway without explicit review at each step.

Why it was flagged

The guide frames remote code checkout, dependency installation, service startup, config mutation, and tunneling as an agent-completed workflow.

Skill content

Goal: let an OpenClaw agent complete installation and configuration end-to-end ... Clone source code (GitHub) ... pnpm install ... Start Cloudflare tunnel

Recommendation

Require user approval for each setup step, pin the gateway source to a reviewed commit, and review tunnel scripts before running them.

ASI07: Insecure Inter-Agent Communication

Medium

What this means

Tool parameters and session identifiers may contain sensitive task context and will be visible to the configured Gateway.

Why it was flagged

The plugin sends tool-call details and session context to the configured Gateway for policy evaluation.

Skill content

body: JSON.stringify({ toolName: event.toolName, providerId, params: event.params, sessionKey: ctx.sessionKey })

Recommendation

Use a trusted Gateway URL, prefer local or controlled deployments for sensitive work, and understand what audit data the Gateway stores.

ASI03: Identity and Privilege Abuse

Low

What this means

Anyone who can read the OpenClaw config or environment may be able to use the agent's Gateway runtime token.

Why it was flagged

The setup requires storing and using a Gateway runtime token for agent identity.

Skill content

"SIMPLAIX_AGENT_RUNTIME_TOKEN": "<RUNTIME_TOKEN from step 2>"

Recommendation

Protect ~/.openclaw/openclaw.json, avoid sharing logs or configs containing tokens, and rotate the runtime token if exposed.