Pluginv0.8.0

ClawScan security

Aigroup Financial Services Openclaw Release · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 4:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package contents and instructions broadly match a financial‑services skill set, but the runtime guidance asks you to execute included install/preflight scripts and the SKILL.md contains prompt‑injection indicators (base64/unicode control sequences); review scripts carefully before installing or run in an isolated environment.
Guidance: This repository appears to be a legitimate financial‑services skill collection and does not request credentials in metadata, but it includes many executable scripts and vendored binaries and the SKILL.md was flagged for possible obfuscated content. Before installing or running preflight/install scripts: 1) Inspect scripts/preflight.sh, scripts/install_to_openclaw.py and other referenced scripts (and any large binary packaging steps) for network calls, shell execs, file deletion, or actions that read secrets or system config. Search for 'curl', 'wget', 'nc', 'ssh', 'rm -rf', 'chmod +x' and any external URLs. 2) Decode any base64 blocks and view files containing unusual unicode control characters to ensure they are benign assets or comments. 3) Run the install and preflight in an isolated test host or VM (sandbox) first, not on a production machine. 4) Verify source trust: this package claims to be repackaged from upstream Anthropic and MiniMax components — if you require provenance, fetch original upstream repos and compare checksums. 5) If you are uncomfortable reviewing the code yourself, ask for a brief audit from someone with shell/script review experience or refuse installation. Given the prompt-injection indicators and that the runtime steps execute repository scripts on your host, proceed cautiously and validate what those scripts will do before running them.
Findings: [base64-block] unexpected: A base64-like block was detected in SKILL.md content. Base64 blocks can be used for benign embedded assets, but their presence in runtime instruction text is unusual and warrants inspection (decode and review) before running any associated scripts. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These can be used to obfuscate content or influence parsers; review the file raw (hex) to ensure no invisible directives or injected prompts exist.

Review Dimensions

Purpose & Capability: okName/description (financial modeling, deliverables) align with the files included: many financial skills, deliverable pipelines, and vendored MiniMax office skills. No unrelated credentials or services are requested in metadata.
Instruction Scope: concernRuntime instructions direct the operator to run: `openclaw plugins install ...`, restart the gateway, and execute a bundled preflight script (~scripts/preflight.sh). Those scripts are present in the bundle and may execute arbitrary commands, read local files, or install other components. The SKILL.md also contains prompt‑injection indicators (base64 block and unicode control chars) flagged by the scanner — this suggests content may be obfuscated or crafted to influence automated processors. The instructions do not request secrets, but they do give broad discretion to execute repository scripts on the host.
Install Mechanism: noteNo explicit install spec is in the registry (instruction-only metadata), but the repository contains a full plugin bundle with many scripts and even binary blobs (vendored .NET assemblies). Installation via `openclaw plugins install` will pull and place these files on disk; there is no registry-level install manifest detailing post‑install actions. That makes local review of scripts important before execution.
Credentials: okThe package declares no required environment variables, no credentials, and no config paths. That is proportionate for a set of modeling and deliverable skills. There is no evidence in the metadata of unjustified secret collection.
Persistence & Privilege: noteFlags: always=false and normal autonomous invocation allowed (disable-model-invocation=false). The plugin will register skills with the agent and expect to be callable — this is consistent with its purpose. It does include install scripts that may copy files into the OpenClaw extensions directory and restart the gateway; review those scripts to confirm they only modify their own plugin files and do not alter unrelated agent/system configuration.