Code PluginExecutes codesource-linked

Clawxrouter

Edge-cloud collaborative routing plugin that keeps sensitive data local and routes tasks to cost-effective models — protects user privacy by classifying requests into three safety levels and redacting PII before any cloud forwarding

Community code plugin. Review compatibility and verification before install.

clawxrouter · runtime id ClawXRouter

Install

openclaw plugins install clawhub:clawxrouter

Latest Release

Version 1.0.6

Download zip

Compatibility

{
  "builtWithOpenClawVersion": "2026.3.28",
  "pluginApiRange": ">=2026.3.22"
}

Capabilities

{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "ClawXRouter",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (privacy-aware router, local guard agent, proxying to cloud models) matches the included code: provider registration, model mirroring, a local privacy proxy, rule- and model-based detectors, and config/dashboard persistence. The files and defaults (e.g., ~/.openclaw/clawxrouter.json, guard workspace) are coherent with the declared purpose.

ℹ

Instruction Scope

Runtime behavior includes starting a local HTTP privacy proxy, running a guard agent, running rule- and local-model detectors, and reading/writing config under ~/.openclaw. The repo includes SYSTEM-style prompt files for internal classifiers (e.g., detection-system.md) that instruct the guard agent to emit strict JSON; this is expected for a classifier but is a kind of system-prompt content — verify the agent runs those prompts in an isolated guard process rather than injecting them into the host agent's system prompt. Also note the token-saver router references an external judgeEndpoint (openrouter.ai) — if the plugin is configured to call that judge you should confirm what content is sent and whether PII is redacted first.

✓

Install Mechanism

No install spec or remote downloads are included; the package is code-only and relies on the host OpenClaw SDK. That reduces install-time risk (nothing being fetched and executed from arbitrary URLs). Dependencies are standard npm packages and appear in package.json/package-lock.json.

ℹ

Credentials

The plugin declares no required environment variables, which is reasonable. At runtime it will read the platform's api.config (model/provider configs) and may use provider apiKey fields from there to register model targets for the proxy — that is necessary for a proxy that forwards to cloud providers, but it means the plugin will have access to keys stored in the platform config. The default rule lists include paths like ~/.ssh and ~/.aws as S3-level sensitive paths; those are part of detection rules (not explicit external credential requests) but you should review rules and paths before enabling since they affect classification and routing decisions.

✓

Persistence & Privilege

The skill does persist config and workspace files under the user's home (e.g., ~/.openclaw/clawxrouter.json and ~/.openclaw/workspace-guard). It does not request always:true and does not appear to modify other plugins' configs beyond best-effort runtime patching of the in-memory model/provider snapshot. This level of persistence is expected for a plugin that manages local state and a guard agent.

Scan Findings in Context

[system-prompt-override] expected: The bundle contains SYSTEM-style prompt files (e.g., prompts/detection-system.md) which instruct the local guard agent to output only JSON and be strict. This looks intentional and appropriate for an internal classifier, but system-prompt-like content should be run inside an isolated guard agent rather than injected into the host agent's global system prompt.

Assessment

This plugin is internally coherent with its privacy-routing purpose, but review a few operational risks before installing: - Review and customize the default config (config.example.json) before enabling: S2/S3 rules, listed sensitive paths, s2Policy (proxy vs local), and proxyPort. Defaults write to ~/.openclaw and create a guard workspace. - Confirm where the privacy proxy listens (default localhost:8403) and ensure only trusted local processes can access it; if the host binds to non-local interfaces that could expose forwarded content. - Check how external services are used: token-saver/judgeEndpoint points to openrouter.ai in the shipped example. Decide whether task-judging or other remote calls are allowed for your environment, and ensure PII redaction is enabled for any classifier that forwards content externally. - Verify that provider API keys stored in the OpenClaw config (api.config / models.providers.*.apiKey) are acceptable to be read/used by this plugin — the proxy may need those keys to forward requests. - Understand guard-agent isolation: prompts in prompts/ are designed for the local guard agent; confirm the plugin runs those in an isolated guard process and that guard history is stored under the plugin's workspace (not merged into global, unless you choose to). - Test on non-sensitive data first to confirm redaction/ routing behavior is what you expect. If you want, I can point out specific files/lines to review (e.g., privacy-proxy and provider code paths) or produce a checklist of settings to change before enabling.

Verification

{
  "hasProvenance": false,
  "scanStatus": "clean",
  "scope": "artifact-only",
  "sourceCommit": "d373837",
  "sourceRepo": "OpenBMB/ClawXRouter",
  "sourceTag": "d373837",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}