Pluginv0.1.9

ClawScan security

GrowthCircle.id Provider · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 8:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This plugin is internally consistent with its stated purpose: a GrowthCircle.id OpenClaw model-provider that only requires a GrowthCircle API key to discover and proxy OpenAI-compatible model requests.
Guidance: This plugin appears to do what it claims: register GrowthCircle.id as a model provider and use a GrowthCircle API key to call https://ai.growthcircle.id/v1. Before installing: (1) Only provide a GrowthCircle API key you control and avoid putting it in shared global shells; use the OpenClaw onboarding flow or a scoped auth profile. (2) Verify you trust the GrowthCircle service and the GitHub repo URL in the manifest if you need to review source code; source files are included in the package so you can audit them locally. (3) Use the recommended OpenClaw versions noted in the README to avoid compatibility issues. (4) Rotate the key if you ever share it for demos. Minor note: the top summary in the report omitted the declared env var, but the package manifest and SKILL.md consistently require GROWTHCIRCLE_API_KEY—this looks like a metadata reporting quirk rather than a functional problem.

Review Dimensions

Purpose & Capability: okName/description, code, manifest, and SKILL.md all describe an OpenClaw provider for GrowthCircle.id. The only credential referenced (GROWTHCIRCLE_API_KEY) is appropriate for the stated functionality. (Note: the top-level Requirements block in the report said “none”, but the included SKILL.md and package.json do declare GROWTHCIRCLE_API_KEY.)
Instruction Scope: okRuntime instructions (SKILL.md) limit actions to installing/enabling the plugin, restarting the OpenClaw gateway, and configuring the model provider. The runtime code performs /models discovery and normal provider registration. There are no instructions to read unrelated files, harvest arbitrary environment variables, or transmit data to endpoints other than GrowthCircle's declared base URL.
Install Mechanism: okNo ad-hoc download URLs or extract steps are used; install instructions rely on OpenClaw's plugin install/update flow (clawhub/npm). The package includes source files and a package.json; dev dependencies appear in package-lock but are typical build/test deps. No high-risk install-from-personal-server behavior is present.
Credentials: okThe plugin asks only for a single provider API key (GROWTHCIRCLE_API_KEY), which is proportionate to model discovery and proxying. I reviewed code paths and they only reference that env var for Authorization to the GrowthCircle endpoint; no unrelated credentials are requested.
Persistence & Privilege: okThe plugin does not request always:true or other elevated privileges. It registers as a normal OpenClaw extension and requires explicit installation/enabling; autonomous invocation of the provider (disable-model-invocation=false) is normal for providers and not a red flag by itself.