Pluginv1.2.3

ClawScan security

Knox • Security Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 8:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, hooks, and instructions are consistent with a Claude Code out‑of‑process security enforcement tool; nothing requested is disproportionate to that purpose, but review install scripts, webhook targets, and audit-log placement before installing.
Guidance: This skill appears to be what it claims: an out‑of‑process security hook for Claude Code. Before installing, do these checks: (1) If you plan to use the manual git/npm install path, inspect scripts/postinstall.js and any npm lifecycle scripts — npm install can run arbitrary code. (2) Review and control the configured audit path and file permissions so sensitive data isn't written to a location you don't expect. (3) If you enable alerts/webhooks, verify the webhook endpoint is trusted (a webhook could receive metadata about detections). (4) Confirm you are comfortable with the plugin reading files passed to hooks (InstructionsLoaded, ConfigChange) — this is required for its scanning function. (5) Keep in mind the plugin runs node processes on every tool call (added latency) and has self‑protection that prevents easy local disabling; that is intentional but means removing it may require manual edits. If you want more assurance, review lib/config.js, scripts/postinstall.js, and the writeAudit implementation before enabling in production.

Review Dimensions

Purpose & Capability: okName/description claim an out‑of‑process enforcer for Claude Code; the codebase contains hook binaries (knox-check, knox-guard, cron-guard, etc.), pattern engines, self‑protection and audit logic that match that stated purpose. There are no declared environment variables or unrelated cloud credentials, and required binaries are reasonable (Node.js implied).
Instruction Scope: noteSKILL.md instructs installing the plugin via the Qoris marketplace (or cloning and running npm install). The runtime hooks explicitly read tool inputs and local files (e.g., changed settings and InstructionsLoaded files) to scan for injection and to write audit entries — this is coherent with its inspection role but means the plugin will read local files it is configured to scan. The README/behavior is explicit about what it reads and what it will not try to do (semantic intent, runtime tracing).
Install Mechanism: noteNo install spec in registry metadata (instruction-only), but SKILL.md references git clone + npm install and distribution via a marketplace. npm install will run package lifecycle scripts (scripts/postinstall.js is present) — expected for a Node.js plugin but worth auditing as it executes code on install. Marketplace installs may also run package scripts depending on the host; the referenced git/github URL is a normal release host (not a shortener or personal IP).
Credentials: okThe plugin declares no required env vars or credentials. The code reads environment values like CLAUDE_PLUGIN_ROOT and CLAUDE_PROJECT_DIR and uses a configurable webhook URL (config.alerts.webhook) for alerts — the webhook is a reasonable feature for an enforcement/audit tool but is user-configurable and not prespecified in requires.env.
Persistence & Privilege: okalways:false (not force-included) and model invocation not disabled (normal). The plugin requests no system-wide configuration changes in its registry metadata. It does implement self-protection (guards against modifications of its own files) and writes audit logs under a configurable path; both behaviors are consistent with a security plugin and not excessive by themselves.