Pluginv1.0.1

ClawScan security

Openclaw Agent Protocol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 7:21 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The code, instructions, and requested resources line up with an OpenClaw gateway plugin that enforces routing; nothing in the package indicates covert exfiltration or unrelated privilege requests, though there are small coherence/details to review before installing.
Guidance: This plugin appears to do what it claims: enforce routing at the OpenClaw gateway and log blocked calls locally. Before installing: (1) review and edit ~/.openclaw/hard_stop_policy.json immediately after setup so you control which tools are routed/blocked; (2) be aware the plugin will read ~/.openclaw/openclaw.json and will write logs and a local SQLite DB (~/.openclaw/compliance.db) containing truncated tool details (commands, paths, code up to ~200 chars) — these are stored locally only; (3) note small naming inconsistencies in the project (the installer/wizard uses "agent-routing-enforcer" while the plugin id in code is "openclaw-agent-protocol") — confirm your OpenClaw gateway will load the expected manifest and extension path; (4) run the setup in a test environment first and inspect the created files and plugin manifest before enabling in production; (5) run standard supply-chain checks (npm audit, check package origin, verify git repo) and ensure you have a build toolchain available for native deps (better-sqlite3). If you want, provide your OpenClaw gateway plugin-loading behavior (how it maps manifest IDs to installed directories) and I can point out exactly which filenames/IDs to inspect or adjust before enabling.
Findings: [better-sqlite3] expected: Package depends on better-sqlite3 to maintain a local compliance DB; this is expected for audit logging. better-sqlite3 runs a native install step — normal but requires build toolchain on host. [glob/minimatch] expected: Glob and minimatch are used for path-based routing; their presence is expected. [no_pre-scan_injection] expected: The repository had no pre-scan injection signals; however, absence of findings does not guarantee safety — the code was reviewed and is coherent.

Review Dimensions

Purpose & Capability: okThe name/description (gateway-level routing enforcement) match the code and SKILL.md. The plugin implements a before_tool_call hook, policy loading, glob-based routing, and a compliance DB — all appropriate for the stated purpose. Declared dependencies (better-sqlite3, glob, minimatch) are reasonable for local DB and glob matching.
Instruction Scope: noteRuntime instructions and the SKILL.md match the code: clone, build, run setup to generate a policy and install plugin. The wizard reads ~/.openclaw/openclaw.json (auto-detect) and writes ~/.openclaw/hard_stop_policy.json and ~/.openclaw/compliance.db and logs to ~/.openclaw/agent-routing-debug.log. This is expected, but note it will read your OpenClaw config and will locally log details (commands, paths, code snippets up to 200 chars) into a local SQLite DB and debug log.
Install Mechanism: okThere is no remote or opaque download in the registry entry; the package is instruction-only in the registry but includes source files. Installation is via npm (normal), and the setup wizard copies files into ~/.openclaw/extensions. No external, shortener, or personal-server downloads are used. better-sqlite3 has native install scripts (normal for that package).
Credentials: okThe skill requests no special environment variables or credentials. It uses HOME and an optional DEBUG environment variable only. That is proportionate to its function. It does access user's OpenClaw config (~/.openclaw/openclaw.json) which is reasonable for auto-detection of agents.
Persistence & Privilege: noteThe plugin installs itself into the user's ~/.openclaw/extensions directory and (per manifests) is enabled by default when present. always:false (no forced global inclusion) is set. This placement and default-enabled state are expected for a gateway plugin, but you should be aware it intercepts before_tool_call events and can deny tool calls once enabled.