Pluginv2026.3.22

ClawScan security

Diagnostics Otel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 23, 2026, 9:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent: it implements an OpenTelemetry exporter for OpenClaw diagnostics and only sends telemetry to the configured OTEL endpoint(s).
Guidance: This plugin appears to do exactly what it says: export OpenClaw diagnostic events to an OpenTelemetry (OTLP) collector. Before installing, confirm you trust the OTEL endpoint you will configure (or any headers you pass) because diagnostic data -- including counters related to token usage, costs, and context sizes -- will be sent there. The plugin will also respect OTEL_* env vars if set; these are optional. If you need to limit telemetry, disable diagnostics or the otel exporter in your OpenClaw diagnostics config. If you require stronger guarantees about redaction, review redactSensitiveText behavior and avoid putting secrets into logs/headers.

Review Dimensions

Purpose & Capability: okName/description match the code: service creates OTLP trace/metric/log exporters, registers diagnostics listeners and log transports, and emits OpenClaw telemetry. The declared dependencies are appropriate for OpenTelemetry functionality.
Instruction Scope: okRuntime behavior stays within diagnostics scope: it reads diagnostics config from the plugin context, registers to onDiagnosticEvent/registerLogTransport, creates metrics/spans/log exporters, and does not reference unrelated files, system paths, or external endpoints beyond the configured OTEL collector.
Install Mechanism: okNo install script is present in registry metadata; source includes package.json with standard OpenTelemetry dependencies. There are no external arbitrary download URLs or unusual install steps in the packaged files.
Credentials: noteThe code optionally reads common OTEL env vars (OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_SERVICE_NAME) and also allows headers via config. Registry metadata lists no required env vars; the env usage is optional and proportional to an OTLP exporter, but users should be aware that if they supply endpoint/headers those values (including any auth headers) will be sent to the configured collector.
Persistence & Privilege: okSkill does not request always: true and does not modify other skills or system-wide settings. It registers a service for diagnostics only and its lifecycle is bounded to start/stop; autonomous invocation is default but not excessive for this plugin type.