Pluginv0.1.11

ClawScan security

Aigroup Financial Services Openclaw Clawhub 0.1.11 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 1:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin mostly matches its stated financial/office deliverable purpose, but prompt‑injection indicators in the SKILL.md and a large set of bundled artifacts (including compiled binaries) warrant caution and manual review before installing.
Guidance: This package appears to do what it claims (a financial-analysis and office deliverables suite) and doesn't request credentials, but take precautions before installing: - Manually inspect SKILL.md and README for any embedded base64 or strange unicode control characters flagged by the scanner; ensure there are no hidden instructions or encoded payloads. - Review the bundled compiled artifacts (dotnet binaries, large libraries) and confirm their provenance—prefer packages with clear upstream links and reproducible build steps. - Run the installer scripts in a sandbox or VM first (do not run as privileged user) and verify they only copy local files into an OpenClaw workspace and do not make unexpected network calls or modify unrelated system config. - If you plan to deploy in production, pin the plugin origin (trust lists), and consider extracting only the specific skills you need rather than installing the whole bundle. If you want, I can inspect the SKILL.md raw text for the flagged base64/unicode segments and point to their exact locations and contents.
Findings: [base64-block] unexpected: The scanner found a base64-block pattern inside SKILL.md content. Documentation for a financial plugin rarely needs embedded base64 payloads; this could be benign (embedded images, data blobs) but could also hide encoded instructions. Recommend manual inspection of SKILL.md and any embedded blocks before trusting the package. [unicode-control-chars] unexpected: Unicode control characters detected in SKILL.md. These are sometimes used to obfuscate or influence prompt evaluators. Not expected in ordinary documentation; review the markdown source to ensure there are no hidden or adversarial control sequences.

Review Dimensions

Purpose & Capability: noteThe name, description, commands, and included skills all align with a financial‑services + office‑deliverables plugin—bundling Word/Excel/PDF skills and financial modeling workflows. The presence of many skill subdirectories and helper scripts is expected for this kind of suite. One noteworthy point: the repository includes compiled .NET artifacts and many large bundled files for MiniMax-derived office skills; this is plausible for office-processing features but increases the install footprint and should be reviewed for provenance.
Instruction Scope: noteThe SKILL.md instructs the agent to use bundled skills and to avoid shell PATH probing; commands reference running local skill workflows and occasional simple shell operations (e.g., ls | grep) to enumerate templates. However, the static scan flagged 'base64-block' and 'unicode-control-chars' patterns inside SKILL.md (prompt‑injection signals). Those patterns are not expected for normal documentation and should be inspected to ensure there are no hidden instructions or encoded payloads embedded in the markdown.
Install Mechanism: okNo install spec was declared (instruction-only skill), and the published scripts perform local filesystem operations (copying skills into an OpenClaw workspace). There are no network download/install steps in the visible install scripts. That is lower risk than arbitrary remote downloads, but the repository does include prebuilt binaries and large artifacts (dotnet/assemblies) which increase risk if you don't trust the source.
Credentials: okThe plugin does not request any environment variables, credentials, or config paths. For its stated purpose (financial analysis + office deliverables) this is reasonable and proportional. There are no declarations that would enable credential exfiltration.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. The provided installer scripts copy files into an OpenClaw workspace (normal for a plugin pack) but do not modify other skills' configs or request permanent system‑wide changes.