Back to plugin
Pluginv0.1.0
ClawScan security
DefenseClaw Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:47 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin's code and runtime instructions align with its stated purpose (routing LLM calls through a DefenseClaw guardrail proxy and scanning tool calls), but it performs wide runtime interception and will forward sensitive request data to the configured gateway so you must trust the gateway and configuration.
- Guidance
- This plugin is coherent with its claimed purpose: it intercepts all LLM provider requests (patching global fetch / https.request), sends request metadata and tool-invocation details to a DefenseClaw gateway, and reports health/telemetry. Before installing, consider: - Trust the gateway: intercepted requests (including provider auth headers or extracted API keys) will be visible to the configured DefenseClaw gateway. If you point the plugin at a remote gateway you don't control, sensitive keys and prompts could be exposed. - Configuration vs metadata mismatch: SKILL.md documents env vars and a local config file (~/.defenseclaw/config.yaml) even though the registry metadata lists no required env vars — check and set the gateway host/port and OPENCLAW_GATEWAY_TOKEN intentionally. - Runtime impact: the plugin monkey-patches global fetch/https and is marked enabledByDefault in the manifest; disable it by default if you want to review behavior first. - Audit the gateway: run the sidecar locally (127.0.0.1) where possible, review its code/config and the plugin's open-source repo, and restrict network outbound access if you need stronger guarantees. If you need more assurance, ask the publisher for a signed release, verify the build artifacts (dist/) match source, or run the plugin in an isolated environment until you confirm expected behavior.
Review Dimensions
- Purpose & Capability
- okName/description claim fetch interception, tool inspection, telemetry, and health checks; the repository and TS sources implement those features (fetch/https patching, sidecar client, telemetry, health monitor, provider registry). The declared registry metadata omits the environment variables documented in SKILL.md, but the variables are logically related to the plugin's function.
- Instruction Scope
- concernRuntime instructions and code patch globalThis.fetch and Node https.request to route LLM provider calls through a guardrail proxy and add correlation/auth headers. The SKILL.md also references reading ~/.defenseclaw/config.yaml (overridable by env vars) and sending tool invocations and intercepted request metadata to the sidecar. These actions are within the plugin's intended scope but represent broad access to all outbound LLM traffic and to headers/bodies required for inspection.
- Install Mechanism
- okNo external download/install spec is present; source/package.json is included and uses only a small dependency (js-yaml). No remote installers or archive downloads were found. The code-patch approach is higher-impact at runtime but the install mechanism itself is low risk.
- Credentials
- noteThe SKILL.md documents environment variables (DEFENSECLAW_HOST, DEFENSECLAW_PORT, DEFENSECLAW_GUARDRAIL_PORT, OPENCLAW_GATEWAY_TOKEN) which are appropriate for connecting to a guardrail gateway, but the registry metadata listed 'Required env vars: none' — a mismatch. The plugin will forward provider auth and request content to the sidecar (intended for inspection), so any provider keys/tokens used by OpenClaw may be visible to the gateway; that is proportional to its goal but is a sensitive capability the user must accept.
- Persistence & Privilege
- noteThe plugin is not marked 'always:true' and keeps no unusual system-level privileges. It does monkey-patch global fetch/https within the runtime, persists a stable agent id in plugin storage, and (in openclaw.plugin.json) is marked enabledByDefault: true — meaning it becomes active after install unless you disable it. That runtime interception capability grants broad reach over network calls and should be enabled only when you trust the configured sidecar.