Pluginv0.1.1

ClawScan security

Content Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:54 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code and instructions match its stated purpose (running the content-guard Python scanner on outbound messages); there are no disproportionate requirements or hidden endpoints, but note it executes a Python module and forwards environment variables to that process.
Guidance: This plugin appears to do what it says: it shells out to the content-guard Python package to scan/redact outbound messages. Before installing: (1) review and trust the content-guard PyPI/GitHub project you will pip install (the adapter executes that package on every outbound message); (2) consider running content-guard in a dedicated virtualenv or restricted runtime to limit what the Python process can access; (3) test with dryRun=true to observe behavior without blocking; (4) be aware that any environment variables available to the host process are forwarded to the Python scanner—avoid running the gateway with unnecessary secrets in its environment if you are concerned; (5) set timeoutMs and failOpen appropriately to avoid availability surprises. If you want extra assurance, inspect the content-guard Python code (and network behavior) before enabling in production.

Review Dimensions

Purpose & Capability: okName/description claim to run Content Guard on outbound messages; the included index.mjs implements exactly that (writes a temp file, shells out to `python3 -m content_guard redact`, applies allow/redact/block). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md instructions align with the code (asks you to pip install content-guard and npm install the adapter). The runtime instructions and code spawn a Python process per message, write temporary files, and delete them. The plugin forwards process.env to the child process and adds a PYTHONPATH entry; this is expected for the scanner but means the Python process inherits any environment variables available to the host process.
Install Mechanism: okThere is no bundled install script; installation is the normal two-step: pip install content-guard, npm install the adapter. The package files are present and point to a GitHub repo; nothing is downloaded from an obscure URL or unpacked at install time by the plugin itself.
Credentials: noteThe skill does not declare or require any secrets or external credentials. However, when it invokes the Python scanner it passes the parent's environment (process.env) through to the child and may set CONTENT_GUARD_OPF_BIN if configured. Any secrets present in the host environment could therefore be visible to the Python process.
Persistence & Privilege: okThe plugin is not always-enabled, is user-invocable, and does not request elevated platform privileges or modify other plugins' configurations. It operates at message-send time only.