Portal
WarnAudited by ClawScan on May 18, 2026.
Overview
Portal is coherent for creating live browser demos, but it asks users to install an unreviewed plugin and can save authenticated sessions or upload local project files to a cloud service.
Review this carefully before installing. It may be useful for demos, but use only sanitized projects and low-privilege demo accounts, confirm what is uploaded or shared, and separately verify the `openclaw-portal` plugin before trusting it with authenticated sessions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The actual plugin code that handles browser sessions, logins, and portal creation was not available for review, so users cannot verify from these artifacts what it will run or access.
The reviewed package is described as instruction-only with no install spec or code files, but the skill directs installation of a separate plugin that is not present in the reviewed artifacts.
openclaw plugins install openclaw-portal openclaw gateway restart
Install only from a trusted, verifiable source, review the plugin package separately, and avoid using production accounts until its code and permissions are clear.
A saved authenticated session could expose private account data or allow actions inside the logged-in site if the portal or its guardrails are misconfigured.
The skill explicitly supports capturing login state for sensitive authenticated sites, including dashboards, SaaS apps, and admin areas, to power a hosted browser session.
Authenticated site (dashboard, SaaS, admin) | `save_login` first (Step 2)
Use disposable demo accounts with minimal permissions, avoid production/admin sessions, verify exactly what viewers can see or do, and revoke saved sessions after use.
Private source code, configuration files, or secrets could be uploaded to the provider if they are inside the project directory.
For local files or localhost demos, the skill instructs packaging and sending a project to the portal service, but only names a few exclusions and does not mention secrets such as `.env` files or local credentials.
Local file → zip the project (exclude `node_modules`, `.git`, `dist`), base64 encode. Pass contents as `ptl.entry.source`
Create a sanitized demo copy, remove `.env`, credentials, test data, and private files, and confirm the exact upload contents before creating a portal.