Pluginv1.0.2

ClawScan security

OpenClaw Middleware Suite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package code matches the README: it is a large, local middleware suite that legitimately needs deep access to agent tool calls, but there are a few mismatches and injection-patterns in the SKILL.md that merit caution before installing.
Guidance: This package appears to implement exactly the middlewares described and is not obviously malicious, but exercise caution because: (1) installing it gives the middleware broad access to intercept every tool call your agent makes (filesystem, network, email/drive, shell) — treat it as a high-trust component; (2) the SKILL.md triggered prompt-injection pattern detections — open and read the README and SKILL.md yourself and search for suspicious embedded instructions or obfuscated text; (3) check which API keys or platform credentials (OpenAI/Google/Anthropic, OPENCLAW_HOME, etc.) the suite will use or prompt you to configure — the registry metadata did not list these; (4) verify the claim of 'Zero telemetry' by grepping code for outbound network calls, hard-coded endpoints, or telemetry/analytics libraries (look for fetch/http(s)/axios/request usage, hard-coded URLs, or telemetry keywords); (5) if you decide to try it, first install and run it in an isolated test environment or VM, limit secrets available to that environment, and review logs and network activity. If you are not comfortable reviewing the code yourself, prefer installing only from the official npm/GitHub release and check community/trust signals (stars, maintainers, signed releases).
Findings: [ignore-previous-instructions] unexpected: Detected inside the SKILL.md content. A README typically should not contain 'ignore previous instructions' style tokens — this may be a false positive from example text or badges, but review the README content for any embedded prompts or instruction-manipulating examples. [system-prompt-override] unexpected: Pattern found in SKILL.md. Not expected for a middleware README; inspect the file to confirm whether this originates from sample payloads or accidental text that could be treated as a prompt by an evaluator. [base64-block] unexpected: Base64-like blocks were detected in the SKILL.md. Could be data-URI images, badges, or false positives; verify the README doesn't embed encoded instructions or hidden payloads. [unicode-control-chars] unexpected: Unicode control characters were flagged in SKILL.md. These are often used in obfuscated prompt injection examples; check for any zero-width or control characters that could alter prompt parsing.

Review Dimensions

Purpose & Capability: noteThe name/description (HITL, Guardrails, PII redaction, model routing, token caps) align with the repository contents — there are explicit middlewares implementing each feature. However, the codebase also contains model-provider adapters (OpenAI/Anthropic/Google), a local dashboard/server, and many CLI scripts; the registry metadata declares no required environment variables or credentials even though provider integrations and CLI provider-auth workflows are present. Expect this suite to need API keys or gateway credentials at runtime (set via CLI or platform), which is not reflected in requires.env — small mismatch but explainable by the plugin relying on external platform-managed credentials.
Instruction Scope: concernSKILL.md describes installing the plugin and running a CLI ('sai init', 'openclaw plugins install') and wiring into the OpenClaw gateway — that is consistent. But the README/SKILL.md was flagged by the pre-scan for prompt-injection patterns (e.g. ignore-previous-instructions, system-prompt-override, base64-block, unicode-control-chars). Those detections are unusual in a README and could be false positives (embedded examples, badges, or test text), but they deserve manual review. Also: because this middleware intentionally intercepts 'every turn and every tool call', installing it grants it very broad reach over agent actions (file reads/writes, network calls, email/drive operations) — which is coherent with purpose but increases the risk if the implementation is malicious or buggy.
Install Mechanism: okThere is no install spec in the registry manifest (instruction-only), and the README shows an npm package path. The repository includes full source, tests, and package.json; there is no evidence of arbitrary external downloads or obscure install URLs. This is lower-risk than a skill that pulls a binary from an unknown server, but the package is large — review package contents before installing and prefer installing from the official npm package or the known GitHub repo.
Credentials: noteThe registry metadata lists no required env vars, but the code and tests reference OPENCLAW_HOME / OPENCLAW_CONFIG and include provider adapters (openai, google, anthropic) and CLI provider-auth commands. At runtime the suite will likely need credentials or will read OpenClaw configuration and local paths. The absence of declared required credentials in metadata is a modest inconsistency — verify which keys the suite expects before enabling it in a production gateway.
Persistence & Privilege: notealways: false (good). The skill is user-invocable and may be invoked autonomously by an agent (disable-model-invocation:false) — this is the platform default. Because the middleware is designed to intercept all tool calls, it inherently has high privilege over agent actions while installed. That privilege is coherent with its stated purpose, but you should treat the middleware as a high-trust component and only install it from a trusted source.