Back to plugin
Pluginv0.2.1
ClawScan security
OpenClaw Kitchen Sink · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This package is an internally consistent, credential-free "kitchen sink" fixture that exercises the OpenClaw plugin API surface and does not request extraneous credentials or installs; review the SKILL.md for a small prompt-injection artifact (unicode control characters) before installing.
- Guidance
- This plugin is a test/fixture designed to exercise many OpenClaw plugin surfaces and is coherent with its description: it does not request credentials or install arbitrary remote code. Before installing, quickly skim SKILL.md/README.md for the reported unicode-control characters (open them in a text editor that can show invisible characters) and confirm you are comfortable enabling a plugin that exposes many hooks/providers (the plugin is disabled by default). If you only need a small capability, prefer a narrower plugin rather than this kitchen-sink fixture.
- Findings
[unicode-control-chars] unexpected: Unicode control characters were detected inside SKILL.md content. This is likely a harmless formatting artifact (e.g., invisible characters) but could be used to hide or obfuscate instructions. Recommend visually inspecting SKILL.md and the README for unexpected hidden content before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the code intentionally registers many providers, tools, hooks, channels, and CLI entries as a test/fixture. The manifest declares no required credentials and the code operates on bundled assets and in-memory fixtures, which is proportionate to a 'kitchen sink' fixture.
- Instruction Scope
- noteSKILL.md contains developer/runtime instructions (npm install, sync surface, tests) that are appropriate for a repo fixture but are broader than what an end-user plugin runtime strictly needs; the document also claims the runtime will not call external services or read secrets, and the code appears to honor that (it reads bundled files and uses local crypto/fs). Review the SKILL.md for the detected unicode-control-chars and confirm no hidden instructions are present.
- Install Mechanism
- okNo install spec is provided in the skill metadata (instruction-only from the registry point of view). The repository includes source and an asset bundle; developer instructions use npm and GitHub workflows (expected for a Node.js fixture). There are no download-from-arbitrary-URL installs declared by the skill.
- Credentials
- okNo required environment variables, no primary credential, and plugin manifest lists providers with authMethods: ["none"]. The code reads a local PNG asset and uses node:crypto and node:fs — all local and proportional to the stated purpose.
- Persistence & Privilege
- noteThe package registers many hooks/providers/tools when enabled, but openclaw.plugin.json sets enabledByDefault: false and the registry flags show always:false. Autonomous invocation is allowed (default) but not combined with Always-enabled or credential requests, which keeps privileges reasonable for a fixture.