Back to plugin

Security audit

Signet Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin's code and runtime instructions match its stated purpose (signing and auditing OpenClaw tool calls) — but the registry metadata omits the real prerequisites (a local signet CLI and the optional SIGNET_PASSPHRASE env), so verify those before installing.

This plugin appears to do exactly what it claims: call the local signet CLI to sign and log every tool call, optionally enforce policies and encrypt parameters. Before installing: (1) ensure you have the official signet CLI binary installed and trustworthy (the plugin shells out to that binary and inherits its privileges), (2) be prepared for audit logs and identities to live under ~/.signet (or set auditDir/SIGNET_HOME explicitly), (3) treat the keystore passphrase (SIGNET_PASSPHRASE) as sensitive — prefer supplying it securely rather than embedding it in long-lived config, (4) note that the registry metadata incorrectly lists no prerequisites — follow the SKILL.md prerequisites instead, and (5) review the upstream signet CLI/@signet-auth/node packages (and their maintainer) if you need higher assurance. If you want to test safely, run the plugin in a non-production gateway with a fresh Signet home and identity first.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.