Pluginv0.1.0

ClawScan security

Relay Workspace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 26, 2026, 12:52 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin implements remote workspace file RPCs that match its stated purpose, but the documentation claims additional RPCs and safety checks (notably a root-deletion guard) that the code does not implement — this mismatch and the destructive capabilities warrant caution.
Guidance: This plugin does what it says (exposes workspace file RPCs to Relay) but there are important mismatches and safety gaps you should consider before installing: 1) Documentation claims additional RPCs (stat, rename) that the code does not register — confirm whether you need those and whether the plugin will be updated. 2) The README asserts a "root deletion guard" but the code does not check for or refuse deletion of the workspace root before calling rm(...). That means a connected Relay client that is trusted or compromised could delete large parts of your workspace. 3) Because the plugin allows remote read/write/delete over the gateway, only enable it if you trust the Relay client and the network path; prefer using it in trusted, local-only environments or behind strong authentication. 4) If you plan to use it, ask the maintainer to: implement and test the documented RPCs and explicitly enforce a root-deletion guard, add unit tests for path traversal and root-protection, and consider further access control (e.g., require client authentication or restrict to localhost). If you cannot trust the source, test in an isolated environment and review/patch the code (or decline installation).

Review Dimensions

Purpose & Capability: noteName/description match the code: the plugin exposes workspace file operations (list, read, write, delete) over the gateway for Relay. The code calls api.runtime.agent.resolveAgentWorkspaceDir() and uses Node fs, which is expected for this purpose. However README/SKILL.md advertise six methods (list, read, write, stat, rename, delete) while the code only registers list, read, write, and delete — an inconsistency between claimed capabilities and actual implementation.
Instruction Scope: concernSKILL.md and README claim several security protections (including a root-deletion guard) and six RPCs; the implementation lacks registration for `workspace.rename` and `workspace.stat` and does not implement any explicit check that refuses deleting the workspace root before calling rm(...). Because the plugin grants remote clients the ability to read, overwrite, and recursively delete files in the agent workspace, missing or incorrect safeguards are meaningful and risky.
Install Mechanism: okNo install spec is provided (instruction-only from the registry perspective), and the package only contains small source files and metadata. There are no remote download URLs or archive extracts. This is low risk from an install mechanism perspective.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths outside the agent workspace. That is proportionate to the stated purpose of operating on the agent's workspace directory.
Persistence & Privilege: okFlags are default (always: false, agent-invocable allowed). The plugin does not request elevated or permanent platform privileges. The ability to operate on workspace files is the intended functionality, but that capability is inherently powerful and should be allowed only to trusted clients.