Pluginv2026.4.12-1

ClawScan security

Vauxr Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 10:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, runtime instructions, and configuration requests are consistent with a Vauxr <-> OpenClaw channel bridge; nothing requested appears disproportionate to that purpose.
Guidance: This plugin implements a straightforward Vauxr ↔ OpenClaw bridge and the runtime/API calls align with that purpose. Before installing: 1) Only configure the plugin with a Vauxr URL and token you trust (ideally on a local network); 2) Be cautious about enabling the plugins.allowPromptInjection/allowPromptInjection hook — doing so intentionally appends a system prompt to voice sessions and can change how the agent behaves; enable it only if you trust device sources and prompts; 3) If your environment will run npm install/npm ci for the package, review package-lock.json/dependencies (it contains many transitive packages) or perform a dependency audit before installing in a sensitive environment; 4) Consider running the plugin in a segmented network or test environment first to confirm behavior (connection, tool actions) and to ensure Vauxr-TTS/STT flows are as expected.
Findings: [system-prompt-override] expected: The SKILL.md and code deliberately append a voice-optimized system prompt for vauxr sessions (via a before_prompt_build hook) and require the allowPromptInjection hook to be enabled for that behavior. The scanner flagged 'system-prompt-override' but this is an explicit, documented feature of the plugin; still, it is a prompt-injection decision the operator must opt into.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md, and code all implement a WebSocket/HTTP bridge to Vauxr and register three REST-based tools (list devices, announce, control). The runtime requirements (Vauxr URL/token in plugin config) match the stated purpose. Note: package-lock.json contains many large/third-party packages (AWS/Anthropic entries) likely pulled in as dev/peer dependencies; these do not appear to be used at runtime but increase surface for dependency review.
Instruction Scope: noteSKILL.md stays on-purpose: it documents installing the plugin, configuring a Vauxr URL/token, and an optional voiceSystemPrompt. It also documents a fallback operator mode that uses OPENCLAW_URL/OPENCLAW_TOKEN (these env vars are for the fallback operator scenario, not required by the plugin). The docs explicitly instruct enabling the allowPromptInjection hook to make the plugin append a voice system prompt — this is intentional for the voice use-case but is effectively a prompt-injection allowance and should be enabled only when you trust the channel source.
Install Mechanism: okNo install spec (instruction-only install via openclaw plugins install path:...) and all code is included in the package. There are no external download URLs or extract steps. This minimizes installer risk; however, if your platform performs npm install/npm ci for the package, the package-lock could cause many transitive installs — review dependencies before running in sensitive environments.
Credentials: okThe plugin requests no environment variables from the platform. It uses channel configuration (url, token, optional voiceSystemPrompt) as expected; tools call the Vauxr REST API using that token. The fallback mode mentions OPENCLAW_URL/OPENCLAW_TOKEN for Vauxr operator connections, which is reasonable for that alternate mode and is documented separately.
Persistence & Privilege: okThe skill does not request elevated platform privileges. always is false. It registers a bridge and a before_prompt_build hook limited to vauxr sessions; it does not modify other plugins or global agent settings beyond its own plugin hooks. Autonomous invocation is enabled (default) which is normal for channel plugins.