OpenSpec Openclaw Plugin
WarnAudited by ClawScan on May 13, 2026.
Overview
Review recommended: the plugin matches its OpenSpec purpose, but one file-inclusion feature can be steered to read files outside the intended OpenSpec change folder.
Install only if you need OpenSpec integration. Pin and verify the OpenSpec CLI, configure `allowedRoots` and `readOnly` where possible, avoid `openspec_run` unless necessary, and avoid `includeFiles` or unusual change names until the path validation issue is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could accidentally or intentionally load local files outside the intended OpenSpec change into the conversation/tool result.
`changeName` is used to choose a recursive file-read root without rejecting absolute paths, `..`, or path separators. Since `openspec_show` can pass the requested name here when `includeFiles` is true, a crafted name can resolve outside `openspec/changes` and return local file contents.
const root = path.resolve(projectPath, "openspec", "changes", changeName);
const files: Record<string, string> = {};
await walk(root, root, files, maxBytes);Validate change/spec names, reject absolute paths and `..`, ensure the resolved path remains under `projectPath/openspec/changes`, apply `allowedRoots` to file reads, and add total output limits or user approval for raw file dumps.
The installed OpenSpec command can read or modify project files according to the invoked subcommand.
The plugin executes the configured OpenSpec binary with inherited environment variables. This is disclosed and central to the plugin's purpose, but users should understand that installing it lets agents run that external CLI.
const child = spawn(command, args, {
cwd: opts.cwd,
env,
shell: process.platform === "win32",
});Use a trusted OpenSpec binary, configure `allowedRoots`, and enable `readOnly` when you only need inspection.
Agents may run OpenSpec subcommands outside the safer normalized tool set, which could mutate project files if the CLI supports additional write operations.
`openspec_run` is a disclosed escape hatch that passes raw OpenSpec arguments through, while read-only mode blocks only a small denylist of known mutators.
name: "openspec_run", description: "Escape hatch: run an arbitrary openspec subcommand with raw arguments. Use only when no normalized tool fits." ... const denied = ["init", "update", "archive"].find((cmd) => params.args[0] === cmd);
Prefer the normalized tools, keep `openspec_run` for exceptional cases, and consider replacing the denylist with an allowlist when `readOnly` is enabled.
A future or compromised OpenSpec CLI version on PATH would be what this plugin executes.
The plugin depends on a separately installed global CLI and the documentation suggests the floating `@latest` version, so that external code is outside this bundle's reviewed source.
`@fission-ai/openspec` available on `PATH` (`npm install -g @fission-ai/openspec@latest`)
Install OpenSpec from a trusted source, pin a known-good version, and control which binary appears on PATH or in the plugin `command` setting.