Skillv0.3.8-build-14

ClawScan security

Darkhunt Observability · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 3:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin’s code, CLI, and setup behavior are consistent with an OpenClaw telemetry exporter that sends OTLP traces to a configured endpoint; it does modify your OpenClaw config and can export conversation content if you choose a non-default payload mode, so review config and source before enabling.
Guidance: What to check before installing: - Understand what will be sent: by default payload_mode = "metadata" (no conversation content). If you set payload_mode to "debug" or "full" the plugin will transmit truncated or full conversation content and tool arguments to the configured OTLP endpoint — only use those modes with endpoints you trust. - setup-plugin.sh will run npm install (production deps) in the plugin directory and will modify ~/.openclaw/openclaw.json (adds the plugin path and enables a plugin entry). The script backs up the file but you should inspect it before running. - Audit the repository or at least the payload filtering logic (payload.ts / span-builder) and the config handling (config.ts) to ensure sensitive fields are redacted as you expect. Verify the safe-tool allowlist if you rely on it. - If you prefer more control: install with --no-deps (scripts/package.sh supports packaging without node_modules), run npm ci yourself, and review node_modules before enabling; or point the plugin at a local OTLP collector (localhost:4318) to keep telemetry on-host. - Network & credentials: the plugin sends data to whatever traces_endpoint you configure. Use tokens/headers you are comfortable exposing to that endpoint and prefer short-lived or scoped tokens. - Because an automated scanner flagged a potential prompt-injection pattern, quickly grep SKILL.md and CLAUDE.md for lines that try to change system prompts, exfiltrate secrets, or ask the agent to ignore safety constraints; if you find anything suspicious, do not install. If you want, I can: (a) highlight the exact lines in SKILL.md/CLAUDE.md that look risky; (b) summarize where conversation content could be included in exports; or (c) produce a checklist to harden install/configuration (e.g., set payload_mode=metadata, use local OTLP collector, rotate keys).
Findings: [system-prompt-override] unexpected: Automated pre-scan flagged a possible system-prompt-override pattern in SKILL.md. I reviewed the SKILL.md provided and did not see an obvious prompt-injection payload; this may be a false positive from pattern matching. Nevertheless, because SKILL.md and CLAUDE.md are used as runtime instructions/documentation, you should manually inspect them for any language that attempts to alter agent system prompts or ask the agent to reveal hidden context or secrets.

Review Dimensions

Purpose & Capability: okName/description match the contained code: the repo hooks OpenClaw events, builds spans, and exports via OTLP to a configurable traces endpoint (Darkhunt or any OTLP collector). No unrelated credentials or binaries are requested. The presence of CLI, exporter, span-builder, and setup scripts is coherent with the stated observability purpose.
Instruction Scope: noteSKILL.md instructions are scoped to installing the plugin, running the setup wizard, and configuring endpoints/headers. The README and code confirm three payload modes (metadata/debug/full); choosing debug/full will send truncated or full conversation content to the configured endpoint — that is explicit in docs. The setup script also writes to ~/.openclaw/openclaw.json (adds load path and enables the plugin) and runs npm install when invoked; these side effects are expected for installing a plugin but are important to be aware of.
Install Mechanism: noteThere is no registry install spec but the bundle includes build scripts and a bootstrap (setup-plugin.sh) that runs npm install --omit=dev in the plugin directory. Dependencies are standard OpenTelemetry packages pulled from npm (package-lock.json present). No remote ad-hoc downloads or URL shorteners are used; packaging script may optionally bundle node_modules. Running npm install pulls from public npm — moderate risk if you don't audit dependencies.
Credentials: okThe plugin does not request unrelated environment variables or secrets; it expects the user to provide traces_endpoint and auth headers (Authorization, workspace/application id) via the setup wizard or openclaw.json. Those credentials are proportionate to sending telemetry to an external observability backend. The ability to export content is user-configurable (payload_mode), and metadata-only is the safe default.
Persistence & Privilege: notealways:false and model invocation allowed (normal). The install scripts modify the user's ~/.openclaw/openclaw.json to add the plugin path and enable a plugin entry (it creates a .bak). This is standard for installing a plugin but means the script will persistently enable the plugin and write config under your home directory — review before running.