Recursant for OpenClaw
ReviewAudited by ClawScan on May 15, 2026.
Overview
This is mostly a disclosed governance plugin, but its code contradicts the docs about outbound PII redaction and shutdown deregistration, so users should review it before relying on it.
Install this only if you trust the configured Recursant registry and want it to govern your OpenClaw instance. Be aware that it starts automatically, can affect tool and LLM/message handling, stores registry credentials locally, sends audit metadata and instance fingerprint data, does not actually redact outbound chat in this version, and does not deregister on shutdown despite the documentation wording.
Publisher note
Plugin makes outbound HTTPS to the user-configured Recursant registry for enrollment, heartbeat, policy pulls, and audit batches. The registry URL is set by the operator via plugin config (not hard-coded), and credentials are read from ~/.recursant/openclaw.json or env. No telemetry to any third party.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A trusted Recursant registry/operator can affect what tools the agent may use and how some traffic is handled.
The plugin is designed to sit in the agent's execution path and affect tool, model, and message traffic. This is disclosed and purpose-aligned, but it is broad authority over agent behavior.
governs the instance's tool calls, LLM calls, and chat messages via in-process interceptors: authorisation, PII redaction, rate limiting, and audit
Install only if you intend to delegate governance to the configured Recursant registry and trust the policy operator.
The registry can associate this OpenClaw instance with a tenant and issue credentials for ongoing policy/audit access.
Enrollment sends the configured token and instance fingerprint to the configured registry and receives a JWT identity. This is expected for the integration, but it is credential-bearing account enrollment.
enrollment_token: this.config.enrollmentToken, tenant_id: this.config.tenantId, machine_id: fingerprint.machineId, instance_fingerprint: fingerprint, plugin_version: this.pluginVersion
Use a trusted HTTPS registry, protect the enrollment token, and revoke the instance from the registry if it should no longer be managed.
The registry will receive metadata about tool calls, LLM calls, messages, instance IDs, and timestamps.
The plugin sends audit batches to the configured Recursant registry. The included handlers appear to send event metadata rather than full prompt/message content, but it is still an external control-plane data flow.
async pushAuditBatch(events) {
if (events.length === 0)
return;
await this.post("/v1/openclaw/instances/audit", { events });
}Confirm the configured registry is trusted and that its audit retention policy matches your privacy requirements.
Users may believe outgoing chat is being redacted when it is not, which can lead to accidental disclosure of personal or sensitive information.
SKILL.md/README advertise `message_sending` as providing PII redaction on outbound chat, but the implementation explicitly does not return rewritten outbound content.
// message_sending result accepts { content?, cancel? }; we don't rewrite
// outbound bodies in v0, so always return undefined.
return undefined;Do not rely on this version for outbound-chat PII protection until the docs and implementation match; the publisher should either implement redaction or clearly document the limitation.
The instance remains enrolled and can resume using cached credentials until the registry administrator revokes it or the local credentials are removed.
The plugin persists registry identity credentials and intentionally does not deregister on shutdown, while SKILL.md/README describe `gateway_start`/`gateway_stop` as `Enrol, heartbeat, deregister`.
credentialsStore.save({
...identity,
savedAt: new Date().toISOString(),
registryUrl: config.registryUrl,
tenantId: config.tenantId,
});
...
// Intentionally do NOT deregister on shutdownDocument the persistence clearly, provide an explicit cleanup/deregister path, and tell users how to revoke registry access and delete `~/.recursant/openclaw-credentials.json` if needed.