Back to plugin

Security audit

Sanna Governance

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, instructions, and shipped constitutions match the stated purpose (governing OpenClaw tool calls and producing signed receipts); nothing requested is disproportionate to that goal.

This package appears to do what it says: intercept OpenClaw tool calls, evaluate them against bundled YAML constitutions, and write signed receipts. Before installing: (1) Review package.json for any postinstall scripts (npm lifecycle scripts run during install). (2) Be aware the plugin will read the OpenClaw config (~/.openclaw/openclaw.json) and will create a local receipt DB (default ~/.sanna/receipts/openclaw.db). (3) If you enable LLM semantic checks or OpenTelemetry, you may need to provide external credentials or endpoints — those features can cause outbound network activity and should be configured intentionally. (4) Consider enabling 'audit' mode first (non-blocking) to observe decisions before switching to 'enforce'.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.