Pluginv0.5.0

ClawScan security

Aigroup Financial Services Openclaw Release · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 3:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's declared metadata (no required binaries/env) and 'instruction-only' label don't match the large set of bundled scripts, binaries, and README runtime instructions; prompt‑injection patterns were also detected in the SKILL.md — review install scripts and any encoded/obfuscated content before installing.
Guidance: Before installing or running any included scripts: 1) Manually inspect scripts/preflight.sh, scripts/install_to_openclaw.py, scripts/sync_upstream.py, scripts/validate_bundle.py and any large scripts under skills/*/scripts for network calls (curl, requests, urllib, sockets) or references to system credentials and for any subprocess executions. 2) Search the repo for 'http', 'https', IP literals, 'scp', 'ssh', 'base64', 'eval', 'exec', 'subprocess', and os.environ uses — confirm any outbound endpoints are expected. 3) Look for and decode any base64 blobs or hidden unicode control characters found in SKILL.md or other docs — ensure they are benign. 4) Because the README lists runtime deps (python, node, uvx, python-pptx) that aren't declared in metadata, test in an isolated sandbox or VM first rather than a production host. 5) If you only need specific sub-skills, consider extracting and installing a minimal subset rather than the whole bundle. 6) If you are not comfortable auditing the code, ask the publisher for a signed checklist of network endpoints and an explicit install script explanation, or prefer a package with clearer metadata and fewer vendored binaries. If you want, I can scan the most suspicious files (preflight.sh, install_to_openclaw.py, sync_upstream.py) and report any network calls or environment accesses I find.
Findings: [base64-block] unexpected: A base64 block pattern was detected inside SKILL.md; a financial modeling plugin does not normally need encoded payloads embedded in README/SKILL content. This may be an obfuscation attempt or an innocuous embedded example; inspect the SKILL.md for any large base64 blobs and decode them locally to verify their contents before running any scripts that reference them. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These can be used to hide content, break simple scanners, or perform prompt injection. Review the SKILL.md in a binary/hex-safe editor to confirm there are no hidden instructions or injected prompts, and inspect any files that the SKILL.md points the installer at (preflight.sh, install_to_openclaw.py).

Review Dimensions

Purpose & Capability: noteThe repository's name and README describe a financial modeling/deliverable suite and the included skills/commands align with that purpose (DCF, LBO, comps, deliverables, bundled MiniMax office skills). However the registry metadata claims 'no required binaries' and 'no required env vars' while README/QUICKSTART and many SKILLs explicitly list runtime dependencies (python3, node, uvx, python-pptx, pptxgenjs). That mismatch between declared requirements and the files/instructions is noteworthy and could lead to unexpected failures or hidden runtime behavior.
Instruction Scope: concernThe SKILL.md / README instructs running host-level commands (openclaw plugins install, launchctl, bash ~/.openclaw/.../preflight.sh) and the repository includes many install/utility scripts (scripts/preflight.sh, scripts/install_to_openclaw.py, scripts/sync_upstream.py, scripts/validate_bundle.py). Those scripts may examine the host filesystem and call network endpoints; additionally the pre-scan detected prompt-injection patterns (base64-block, unicode control chars) inside SKILL.md — this could be an attempt to evade simple scanners or to inject content into agent prompts. You should manually inspect the preflight and installer scripts and any encoded payloads before running them.
Install Mechanism: noteNo formal install spec was provided in the registry metadata (lower risk by platform rules), but the bundle contains many scripts and even compiled dotnet artifacts and vendored third-party skill code (e.g., minimax-docx dotnet binaries under skills/minimax-docx). Bundling large binary artifacts is not inherently malicious but increases surface area; because there is no standardized install recipe in the metadata, installation may rely on running the included scripts which will write to disk and possibly execute subprocesses.
Credentials: noteThe package requests no environment variables in metadata, and no primary credential is declared — that is good. However the README references optional/expected host capabilities and companion MCP services and the codebase contains scripts that may call external MCP endpoints or perform sync operations (scripts/sync_upstream.py, scripts/install_to_openclaw.py). The absence of declared env vars combined with networkable scripts is an inconsistency worth auditing (search for uses of os.environ, subprocesses that read ~/.openclaw, or code that calls remote URLs).
Persistence & Privilege: okThe skill does not request 'always: true' and keeps autonomous invocation enabled (default). There is no metadata indicating it will forcibly remain loaded system‑wide beyond normal OpenClaw plugin behavior. Installation scripts are expected to place files in the user's OpenClaw extensions directory (normal for plugins).