Pluginv1.2.1

ClawScan security

Jellyfish Security Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 12:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package is a coherent security plugin: its code, manifests, and runtime instructions align with the stated purpose (prompt/behavioral checks + VirusTotal/HSTI lookups); nothing in the files indicates intentional misdirection or hidden exfiltration.
Guidance: This package appears to implement what it claims: a gateway plugin that monitors events and uses VirusTotal/Hillstone or custom TI endpoints for reputation lookups. Before installing, consider: 1) Confirm you want an auto-starting plugin that monitors chat, web fetches, browser opens, file downloads, commands, and skill installs — it will run automatically if your gateway honors the plugin manifests. 2) Provide a VirusTotal API key only if you trust the plugin and understand rate limits; uploading unknown local files is disabled by default (enable only if you accept the privacy implications). 3) The package writes a local .env and state files under the plugin base_dir; check and control that base_dir. 4) If you need stronger assurance, inspect dist/index.js (native setup entry) and threat_intel code paths for exact outbound endpoints and TLS behavior, and run the included tests locally to verify behavior in your environment. Finally, note the minor metadata inconsistency: registry metadata lists no required env vars even though the plugin reads VIRUSTOTAL_API_KEY/.env — this is a documentation/packaging omission rather than an operational red flag.
Findings: [ignore-previous-instructions] expected: SKILL.md and detectors include detection logic for prompt injection phrases such as 'ignore previous instructions' — the scanner found that phrase. This is expected and relevant to the plugin's purpose (it flags prompt-injection attempts).

Review Dimensions

Purpose & Capability: okThe name/description match the code and manifests: openclaw.json/openclaw.plugin.json declare hooks, monitors, and commands for an always-running security plugin that inspects chat, web fetches, downloads, skill installs, etc. The code implements detectors, TI lookups, caching, and audit logs — all expected for this purpose.
Instruction Scope: okSKILL.md and PLUGIN.md instruct local installation (pip install -r requirements.txt, copy .env.example) and show run/command examples that map to the available plugin API and command handlers. The runtime instructions and code only read/write plugin-local config/state (config/security_config.json, base_dir/.env, state/*) and perform reputation checks; they do not instruct arbitrary reads of unrelated system files or exfiltration to unknown endpoints. The plugin can upload files to VirusTotal but that behavior is disabled by default and documented in the caveats.
Install Mechanism: okThis is effectively an instruction-only/packaged-code skill with no external install script: no installer download URLs or archive extracts are present. The repo contains Python sources and a JS dist/manifest for native integration; installing dependencies is a simple pip install -r requirements.txt (requests). No high-risk remote install steps observed.
Credentials: noteThe package does use environment variables (e.g., VIRUSTOTAL_API_KEY, HS_TI_API_KEY) and reads os.environ and a .env file, but the registry metadata listed 'Required env vars: none'. This is not necessarily malicious — the credentials are optional (VT lookup works without a key but is improved with one) and the repo includes .env.example and explicit commands to set the VT key. Still, the metadata omission is inconsistent: the plugin will read an API key from environment or .env and can persist a key to .env via /sec set-vt-key.
Persistence & Privilege: noteThe plugin manifests (openclaw.json/openclaw.plugin.json) declare autoStart and many monitor hooks so it will run automatically when installed (monitors: chat, web_fetch, browser_open, file_download, run_command, skill_install, etc.). The registry 'always' flag is false, but the plugin is designed to be auto-started by the gateway. Autonomous invocation/monitoring is expected for a security plugin; review that you are comfortable with an auto-starting component that observes those event types.