Truclaw
WarnAudited by ClawScan on May 18, 2026.
Overview
TruClaw is a coherent approval-guardrail plugin, but it sends sensitive approval and tool-call details to external services in ways that are not fully disclosed and its pairing link effectively grants approval authority.
Review this carefully before installing. If you use it, pair only from a private session, assume tool commands and invoked script contents may be sent to Anthropic, and consider self-hosting the relay. Do not use it for highly sensitive environments until the publisher documents all external data flows, removes the third-party QR-link exposure or makes it local, and adds clear pairing confirmation/revocation controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private source code, secrets embedded in commands, or sensitive operational details could be sent to Anthropic during risk classification before the user approves the action.
The plugin can read the contents of an invoked local script and send that content, along with tool arguments, to Anthropic for classification. The docs describe transmitted data mainly as tool-call metadata, which understates the possible sensitivity of full script contents or command arguments.
const content = await fs.promises.readFile(resolved, "utf8"); ... `Script content:\n\`\`\`\n${scriptContent}\n\`\`\`` ... fetch("https://api.anthropic.com/v1/messages", { ... messages: [{ role: "user", content: userContent }] })Install only if you are comfortable with this provider data flow. The publisher should clearly disclose that script contents and full tool arguments may be sent, provide redaction controls, and ideally offer a local/self-hosted classifier option.
A third-party QR service or a client that previews the QR image can learn a live pairing URL; if abused within the timeout window, that URL could be used to attempt device pairing.
The generated QR-code URL sends the live pairing link, including sessionId and webhookURL, to api.qrserver.com. This third-party QR service is not included in the documented trust/data-flow path.
const pairingLink = `https://aasa.trusources.ai/openclaw?sessionId=${sessionId}&webhookURL=${encodeURIComponent(webhookURL)}`; const qrImageUrl = `https://api.qrserver.com/v1/create-qr-code/?size=300x300&data=${encodeURIComponent(pairingLink)}`;Generate QR codes locally or disclose the QR provider explicitly. Treat pairing links as secrets, avoid posting them in shared channels, and add an in-client confirmation step before accepting a newly paired device.
Whoever obtains the pairing session link during its validity window may be able to register an approval device, which could later approve sensitive tool calls.
The relay pairs a device that presents a valid session path plus public key and push token, without showing an additional user identity check or confirmation step in the provided code.
if (request.method === "POST" && path.startsWith("/pair/")) { ... if (!body.publicKey) return json({ error: "missing publicKey" }, 400); if (!body.fcmToken) return json({ error: "missing fcmToken" }, 400); await env.TRUKYC_KV.put(`pair:${sessionId}`, JSON.stringify({ publicKey: body.publicKey, fcmToken: body.fcmToken, ... })) }Pair only in a private channel. The publisher should bind pairing to an authenticated local user action, display a final confirmation in OpenClaw, and make it easy to list/revoke paired devices.
A cleverly crafted command, argument, or script comment could potentially influence the classifier and reduce the chance that a dangerous action receives phone approval.
Untrusted tool arguments and script content are placed into the LLM prompt whose JSON response is used for danger classification. For a security guardrail, this creates a prompt-injection-sensitive decision point unless reinforced by deterministic policy checks.
Reply with JSON only ... { "dangerous": true/false, "reason": "one line explanation", "action": "see ACTION FIELD RULES below" } ... Tool: ${toolName}\nArgs: ${JSON.stringify(toolArgs)}Do not rely solely on LLM classification for high-impact actions. Use deterministic deny/challenge rules for network sends, file writes/deletes, credential access, package installs, financial actions, and code execution; treat prompt-injection-like content as suspicious.
Users may not see required credentials and relay configuration accurately represented at install time.
The registry metadata does not declare required environment variables, while SKILL.md and openclaw.plugin.json require TRUKYC_RELAY_URL and ANTHROPIC_API_KEY_TRUKYC. This appears to be a packaging/metadata mismatch rather than hidden code behavior.
Version: 1.5.1 ... Required env vars: none ... Primary credential: none
Update registry metadata to match the plugin manifest and documentation, including required env vars, credential sensitivity, and exact version.