Back to plugin
Pluginv2026.4.16
ClawScan security
OpenClaw Tenant Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 8:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin's code, configuration schema, and runtime instructions are coherent with its stated purpose as a tenant-aware shared-memory bridge for OpenClaw; nothing in the package requests unrelated credentials or performs unexpected actions.
- Guidance
- This package appears to do what it says: provide a tenant-aware context engine and authenticated HTTP bridge with optional local/Postgres storage and optional S3 artifact storage. Before installing: 1) Limit allowedApps and use strong, unique serviceTokens in your plugin config; 2) If you enable S3, grant the plugin only the minimal S3 permissions needed and point it to trusted endpoints; 3) If using file-backed storage or QMD materialization, configure the storage paths (qmdRelativeDir / file path) to a directory you control and that cannot overwrite sensitive system files; 4) Provide Postgres credentials with least privilege if using a database; 5) Review runtime.ts and storage.ts for your deployment-specific concerns (persistence location, retention, and cleanup policies); and 6) Run the included tests locally to verify behavior in your environment. Overall the package is internally consistent, but secrets stored in plugin config and file writes are normal risks to manage with standard operational controls.
Review Dimensions
- Purpose & Capability
- okName/description (tenant bridge, HTTP endpoints, context engine, optional S3/Postgres) match the included files and config schema. Declared features (service tokens, local-file or Postgres storage, optional S3 artifact storage, QMD materialization) are implemented or exposed in the plugin schema and code.
- Instruction Scope
- okSKILL.md instructions are limited to cloning, installing node deps, linking the plugin into OpenClaw, and configuring plugin settings. The runtime instructions and HTTP handler code only accept authenticated requests, validate tenant IDs, and operate on plugin storage; they do not instruct the agent to read unrelated system files or environment variables.
- Install Mechanism
- okThere is no automatic download/install spec in the registry metadata — install is manual (linking or via ClawHub). Source files are included so behavior can be inspected. No external, untrusted URLs or archive extraction steps are present in the install instructions.
- Credentials
- noteThe skill requests no environment variables via the registry metadata, which matches SKILL.md. The plugin config schema does allow storing credentials (Postgres databaseUrl, S3 accessKeyId/secretAccessKey, and serviceTokens). This is expected for optional artifact storage and HTTP auth, but it means secrets are placed in plugin configuration (not environment variables) and should be managed carefully.
- Persistence & Privilege
- okalways is false and the skill does not request elevated platform privileges. The plugin writes its own state (local JSON store or Postgres) and can materialize markdown/QMD files when enabled — behavior consistent with its purpose and implemented within its own files rather than modifying other plugins or system-wide settings.