ZugaShield Security Scanner
ReviewAudited by ClawScan on May 10, 2026.
Overview
The scanner’s behavior mostly matches its purpose, but it runs a separately installed Python engine with unclear provenance while inspecting all messages, tool calls, responses, and memory.
Review this skill before installing. Its security-scanning design is coherent, but it will see broad OpenClaw traffic and run a separately installed Python MCP server. Verify the package provenance and source code, pin trusted versions if possible, and decide whether fail-closed blocking is acceptable for your channels.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A separately supplied package will run locally and receive traffic for scanning. If the installed PyPI/npm package or source mapping is not the expected one, it could inspect, block, or mishandle sensitive content.
At runtime the plugin starts a Python module from the separately installed zugashield MCP package; that Python server implementation is not included in the provided source files, yet it is the component that performs the scanning.
command: this.config.mcp.python_executable,
args: ["-m", "zugashield_mcp.server"],Verify the PyPI and npm package owners, repository links, and release integrity before installing. Prefer pinned versions or hashes and review the Python MCP server source.
Conversation text, tool arguments, model outputs, and recalled memory may be processed by the scanner before normal use.
The plugin intentionally reads broad user and agent content, and the documented hook table also includes preRecall memory scanning.
Intercepts every message, tool call, and response through OpenClaw's Gateway hooks
Install only if you are comfortable with the scanner seeing this content. Review configuration toggles such as scan.inputs, scan.outputs, scan.tool_calls, scan.memory, and excluded_channels.
If the scanner or Python MCP service is unavailable, OpenClaw activity or tool use may be blocked across channels.
A scanner outage can intentionally block tool execution, and other scan phases default to fail-closed unless configured otherwise.
ALWAYS FAIL-CLOSED: Even when config.fail_closed is false, this hook * blocks when the scanner is unavailable.
Understand the availability tradeoff before enabling fail-closed mode in production, monitor scanner health, and test recovery behavior.
A long-running local process will continue scanning and may reconnect after failures while the plugin is enabled.
The skill uses a persistent background scanner process. This is disclosed and purpose-aligned, but it remains active beyond a single request.
The plugin spawns `zugashield-mcp` as a managed child process. The process stays resident
Use OpenClaw’s plugin/service controls to stop or remove it when not needed, and review reconnect settings for your environment.