Back to plugin
Pluginv0.1.0
ClawScan security
Real Estate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 28, 2026, 11:16 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin appears to implement a local task manager that matches its description, but the skill file requests forced/always-on inclusion (always:true) and there is a metadata mismatch — that elevated persistence is not justified by the stated purpose.
- Guidance
- This plugin's code and SKILL.md otherwise look coherent for a local task manager: it only reads/writes a JSON file in the configured storagePath and exposes tools for tasks. However, the skill file requests always:true (force-enabled in every agent run), which increases its runtime privilege without a clear reason. Before installing, ask the publisher why the plugin needs to be always-enabled; consider editing or removing the metadata to avoid permanent inclusion. Also: (1) review and, if desired, change the default storagePath to a location you control; (2) audit the package-lock.json if you want to limit transitive dependencies (the code does not import AWS or external network clients, but the lockfile contains transitive SDK packages); (3) install and run the plugin in a restricted/sandboxed environment first; and (4) if you accept it, grant it only the minimal config (explicit storagePath) and do not enable always:true unless you understand the need.
Review Dimensions
- Purpose & Capability
- okName/description align with the code and tools: the bundle implements a local TaskStore writing a JSON file, and exposes create/list/update/complete/reopen/delete/note/agenda tools. The default storagePath (~/.openclaw/state/real-estate/real-estate.json) and config schema match the described functionality.
- Instruction Scope
- okSKILL.md runtime instructions are limited to installing/building the plugin, enabling it, restarting the gateway, and using the real_estate_* tools. The plugin code performs only local filesystem operations (mkdir, readFile, writeFile, rename) on the configured storagePath and does not make outbound network calls or read unrelated system files.
- Install Mechanism
- noteThere is no remote download/install spec — SKILL.md instructs running npm install and build locally. package.json lists only small dependencies (@sinclair/typebox, openclaw), but the provided package-lock.json contains many transitive packages (including AWS SDK packages). Those transitive deps increase surface area but are not imported by the plugin code; the install mechanism itself is standard (npm) and not a direct high-risk download-from-arbitrary-URL pattern.
- Credentials
- okThe skill declares no required environment variables, credentials, or config path requirements beyond a user-provided storagePath. The plugin does local file I/O only and does not attempt to access unrelated credentials or environment variables.
- Persistence & Privilege
- concernskills/real-estate/SKILL.md contains metadata {"openclaw":{"always":true}} which requests the skill be force-enabled permanently. The registry-level flags presented to you at the top show always:false, creating a mismatch. 'always:true' grants the plugin permanent inclusion in all agent runs; the plugin's purpose (local task manager) does not obviously require being always-on. This is a non-trivial privilege escalation and should be justified before installation.