Pluginv1.0.9

ClawScan security

myaider · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and instructions mostly match its stated purpose (connecting to myaider.ai and importing skills), but it auto-downloads and writes remote SKILL.md files into the local skills directory and treats an API-key-bearing MCP URL as non-sensitive in the UI — behavior that can introduce risk and deserves careful review before enabling.
Guidance: What to consider before installing: - Expect network activity and persistent file writes: if you configure the plugin URL it will attempt to connect to myaider.ai on startup and may automatically download and write SKILL.md files into OpenClaw's skills-dynamic directory. Those downloaded skill files can contain instructions your agents will later execute. - Treat the MCP URL as a secret: the example URL contains an apiKey query parameter. Store it securely and avoid exposing it in UIs or logs. Note: the plugin's UI hints mark the URL as non-sensitive — consider that a misconfiguration and keep the value private. - Limit agent permissions: only allow the myaider_mcp tool to agents you trust, and avoid granting broad or system-level tools to agents that will use dynamic skills. - Review remote skills before execution: if possible, test the plugin in an isolated environment first, or point skillsDir at a sandbox directory and inspect downloaded SKILL.md files before allowing them in production. - Audit dependencies and behavior: the package pulls transitive npm dependencies (package-lock is large). If you require higher assurance, review the full dependency tree and the truncated syncSkillsToDir implementation (it was truncated in the provided files) to confirm how files are validated/overwritten. - Mitigations: keep the plugin disabled until you need it, avoid putting an apiKey-enabled URL in the config until you can review. If you must enable, restrict gateway/agent permissions, and consider a manual workflow (run sync only on-demand) or modify the plugin to require explicit confirmation before auto-sync. If you want higher-confidence assessment, provide the full implementation of the syncSkillsToDir function and any code that performs validation/signature checks on downloaded skill files, and confirm whether the plugin overwrites existing skill files or validates authorship/signatures.

Review Dimensions

Purpose & Capability: okName/description align with the implementation: the plugin registers an myaider_mcp tool, can list/call MCP tools, and imports dynamic skills into the plugin's skills-dynamic directory. Requesting a MyAider MCP URL (which may include an API key) is coherent with the described functionality.
Instruction Scope: concernSKILL.md and the code instruct the agent to auto-download and write SKILL.md files from the remote MCP into the local skills-dynamic/ directory (both on-demand via sync_skills and automatically on plugin load). This effectively permits remote authors to push arbitrary OpenClaw skill instructions into the agent's runtime. That capability is consistent with the stated purpose but is high-risk because downloaded skill files can contain arbitrary agent instructions that will later be executed.
Install Mechanism: noteThere is no separate install script or external archive download; install is via OpenClaw plugin install or git clone + npm install. All code is present in the package. Dependencies are pulled from npm (package-lock shows a sizable transitive dependency surface including AWS SDK-related packages). No remote binary downloads or obscure URLs were observed in the install metadata.
Credentials: noteThe skill does not request environment variables, but it requires a MyAider MCP URL that commonly contains an API key (provided in examples). The plugin's openclaw.plugin.json UI hint marks the URL 'sensitive: false', which is misleading because the URL may contain a secret. No unrelated credentials or config paths are requested.
Persistence & Privilege: concernThe plugin auto-syncs on load (setImmediate) when a MCP URL is configured and writes files into the plugin's skills-dynamic directory. This is persistent filesystem modification initiated at startup without an explicit manual sync step. While not using always:true, automatic network fetching + persistent file writes increases blast radius if the remote MCP or its skill authors are compromised.