Pluginv0.3.1

ClawScan security

Composio Agent Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 27, 2026, 1:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, configuration schema, and runtime behavior are consistent with an Agent Orchestrator integration: it reads AO config, runs the 'ao' and optionally 'gh' CLIs, and exposes commands and background services — nothing in the package requests unrelated secrets or installs code from untrusted URLs.
Guidance: This plugin appears coherent for controlling Agent Orchestrator. Before installing: (1) set aoCwd to the exact directory you intend the plugin to operate on (it will search parent folders for agent-orchestrator.yaml); (2) be aware it will run local 'ao' and optionally 'gh' commands — those commands will run with the agent's environment and any existing GH CLI auth, so ensure your GH token scopes and local CLIs are appropriate; (3) review the index.ts source if you need to confirm no extra behavior; (4) run it in a restricted environment or with least-privilege credentials if you are unsure. Overall the package is internally consistent with its stated purpose.

Purpose & Capability: okThe name/description (Agent Orchestrator integration) matches what the code does: it reads agent-orchestrator.yaml, runs 'ao' commands, and uses 'gh' for GitHub issue scanning. Required config (aoCwd) and CLI usage are appropriate for this purpose.
Instruction Scope: noteThe plugin searches the filesystem for agent-orchestrator.yaml (including parent directories) and reads that file; it executes local binaries ('ao' and 'gh') via child processes. This is expected for an orchestrator plugin, but it means the plugin will access files under the configured working directory and can run arbitrary local CLI commands (subject to the host environment and configured aoPath/ghPath).
Install Mechanism: okNo install spec or remote downloads are present — the package is instruction/code-only and does not fetch external archives or use untrusted URLs.
Credentials: noteThe plugin does not declare required credentials or env vars, but it reads AO_CONFIG_PATH (if set) and forwards process.env into child processes. It relies on the host's 'gh' authentication (GH CLI tokens) if used; that is expected behavior but means the plugin can trigger operations that use existing credentials on the host.
Persistence & Privilege: okalways is false and the plugin is user-invocable; it does not request elevated platform privileges or declare permanent presence beyond normal plugin registration. Background services are part of its intended functionality.