Skillv1.0.2

ClawScan security

OmniPermission (Human-in-the-Loop) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 1:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin implements the claimed human-in-the-loop interception, but it transmits intercepted tool calls (and relies on a user secret key) to an external backend (unknown domain) and stores that key in plaintext locally — these behaviors are coherent with the purpose but raise privacy/trust concerns that you should review before installing.
Guidance: This plugin does what it claims (it intercepts tool calls and asks a mobile app for approval), but you should verify a few things before installing: 1) Confirm the backend domain (backend.ecrop.de) and the mobile app publisher are trustworthy and match the project you expect (the README links to GitHub/Apple/Play but the backend host is a different domain). 2) Understand that your OmniPersona secret key is stored in plaintext under the plugin state directory — treat it like a sensitive credential and ensure proper filesystem permissions/backups. 3) If you allow agents CLI access, they could change the plugin's blacklist or disable protections; run agents in a restricted environment if you need strong guarantees. 4) If you fork or modify the plugin to include richer context (agent reasoning, project IDs), be aware that this increases the data sent to the external backend. If you need higher assurance, ask the maintainer for an audit of the backend service, run the plugin against a local or self-hosted backend, or review the mobile app's privacy/security posture before entering your key.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the plugin intercepts before_tool_call events, checks a user-configured blacklist, and requests mobile approval. Requesting and storing a secret key and contacting a backend for approval is consistent with a mobile push-approval flow. Minor mismatch: the README and SKILL.md reference a GitHub project and app store listing, but the backend host used in code is backend.ecrop.de / backend.dev.ecrop.de (a domain not documented elsewhere in the repo), which reduces verifiability.
Instruction Scope: noteRuntime instructions and code limit themselves to intercepting tool calls and sending a small approval payload to the backend. The SKILL.md explicitly instructs users to install the mobile app and paste a secret key. The code does not read other files or agent internals, but the README/SKILL.md encourage forking the plugin to include richer agent context (e.g., internal reasoning or project IDs), which would increase data exposure if implemented — the current shipped code however sends only a tool name and a generic message.
Install Mechanism: okThis is an instruction-and-code plugin with no external install script or binary downloads. There is no install spec that pulls code from arbitrary URLs; the code is shipped in the bundle. This lowers install-chain risk compared to remote downloads.
Credentials: concernNo environment variables are requested, which is appropriate. However, the plugin requires a 'Secret Key' entered by the user and stores it as plain text in state/omni_key.txt. That secret grants the backend the ability to correlate approvals to your installation; storing it unencrypted in plugin state increases risk (other local processes, backups, or misconfigured permissions could expose it). Also the plugin contacts external backend domains (production and dev), and the dev backend can be enabled by the user — using a dev backend may expose data to an alternate server.
Persistence & Privilege: noteThe plugin registers gateway hooks and will intercept requests when enabled (this is expected for a gateway plugin). always:false and no attempt to modify other plugins or system-wide settings is good. However, the SKILL.md highlights an 'Agent-Managed' mode where an agent with CLI access could change the blacklist or clear protections; that risk depends on how you run agents and whether they have access to the openclaw CLI.