ClawHub

Shoofly Plugin Scan

Security

Pre-install plugin security scanner for OpenClaw plugins

Install

openclaw skills install shoofly-plugin-scan

shoofly-plugin-scan

Scans an OpenClaw plugin directory for security issues before installation.

Usage

shoofly-plugin-scan <path-to-plugin>

Checks

  1. Credential patterns — API keys (sk-, ghp_, AKIA*), private keys
  2. Obfuscated code — long hex/base64 strings, eval(), Function() constructor
  3. Unusual network calls — URLs not in the trusted allowlist
  4. Sensitive path access — ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd, credentials
  5. Exec patterns — child_process.exec with variable args, shell: true

Exit codes

CodeMeaning
0Clean — no findings
1Findings — review before installing
2Scan error

Allowlisted hosts

github.com, npmjs.com, openclaw.ai, clawhub.com, shoofly.dev

More in Security