ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Plugin

v1.3.2

Inference-based intrusion detection for AI agents. Pattern matching + LLM analysis for jailbreaks, prompt injection, credential theft, social engineering. 108 detection patterns, OpenClaw plugin, auto-scan, quarantine. Commands: hopeid scan, hopeid test, hopeid setup, hopeid stats, hopeid doctor.

0· 2.2k·1 current·1 all-time
by@emberdesire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (inference-based IDS, quarantine, Telegram alerts) align with the code and manifest: it implements auto-scan, quarantine records (metadata-only), per-agent config, and commands. The plugin depends on a separate 'hopeid' package (declared in package.json) which is coherent with the skill's functionality.
!
Instruction Scope
SKILL.md and code consistently state 'metadata-only' storage, and quarantine records do not include an originalMessage field. However classification is performed using llm-task or a classifier agent (api.invokeTool or api.sessions.send) and the code sends (a substring of) the incoming message to whichever model/provider is configured. That means raw message content will be transmitted at runtime to the configured model/provider even though it is not persisted — this is a potential data-exfiltration vector users may not expect. The instructions ask to run 'npx hopeid setup' which implies additional installation/config steps external to OpenClaw; the origin and behavior of that CLI are not documented here.
Install Mechanism
There is no install spec in the registry entry (instruction-only), but the package.json includes a dependency on 'hopeid'. The code dynamically imports 'hopeid' and will error if it is not installed (with instructions to npm install it). This mixed messaging (no install spec but package.json + dynamic import) is inconsistent and requires the user to install an external package. The 'hopeid' package origin is not verifiable from the provided metadata (homepage truncated/absent).
Credentials
The skill declares no required env vars or credentials and relies on OpenClaw platform config (e.g., channels.telegram.botToken and ownerNumbers). That is proportionate. However, runtime classification sends message text to configured LLM tooling (llm-task or classifierAgent) which may route to third-party providers (Anthropic/OpenAI/etc) configured elsewhere in the platform — installing this plugin therefore implicitly sends messages to those providers. The SKILL.md emphasizes metadata-only storage but does not highlight that raw message text is transmitted to models for classification.
Persistence & Privilege
always is false and the plugin does not request system-wide privileges. It writes quarantine records to a plugin-specific directory (default ~/.openclaw/quarantine/hopeids) and will fall back to an in-memory/file-based quarantine if the 'hopeid/quarantine' module is not present. It does not modify other skills' configs. Writing records to the user's home directory is expected for a quarantine feature but you should verify file permissions and retention policies.
What to consider before installing
This plugin is coherent with its stated purpose (an IDS that quarantines threats and alerts via Telegram) but you should not install it blindly. Key things to consider before installing: - Message transmission to models: classification uses llm-task or a classifier agent and sends (part of) the raw incoming message to the configured model/provider. That is expected for semantic analysis but means sensitive text may leave your system at runtime even if it is not persisted. Verify which LLM providers (local vs cloud) your OpenClaw instance routes llm-task or classifierAgent calls to. - External dependency provenance: the plugin dynamically imports a separate 'hopeid' package and suggests running 'npx hopeid setup' / 'npm install hopeid'. The registry entry does not include a trustworthy homepage or maintainer details. Inspect the 'hopeid' package source (and any CLI behavior) before installing it. - Storage: quarantine records are metadata-only by design, but they are written to ~/.openclaw/quarantine/hopeids (or records.json in that dir in fallback). Confirm you are comfortable with that path and check retention/permissions. - Conservative initial settings: enable the plugin in non-strict/warn-only mode and disable autoScan initially; verify alerting behavior (Telegram) and that alerts contain only metadata. Test with non-sensitive inputs in a staging environment. - If you need higher assurance: request the full 'hopeid' package source and the remainder of this plugin's source (truncated portions) to audit exactly what is sent to classifiers and how patterns/rules are defined. Given these gaps (missing provenance, runtime transmission of raw messages to configured LLMs, and inconsistent install guidance), treat this skill with caution and perform the checks above before trusting it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5pbap64j50krm2da018j7h80zvwa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments