Pluginv0.1.1

ClawScan security

Tasks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 28, 2026, 10:00 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin code and instructions match a local task manager, but there are inconsistencies (the skill declares permanent inclusion in its SKILL.md and the registry lists no install spec despite a full npm project) and a large transitive dependency tree that increase the attack surface.
Guidance: What to consider before installing: - The code implements a local task manager and appears to only read/write a JSON file at a configurable storagePath — that matches the description. - However, the skills SKILL.md contains metadata requesting always:true (force-inclusion). Ask the author why the plugin needs to be force-loaded for every agent session; prefer always:false unless there is a clear reason. - Registry metadata lacks an explicit install spec even though this package is a full npm project; the README instructs you to run npm install and build. Confirm how your OpenClaw installation will perform plugin installs and whether install scripts run automatically. - The package-lock contains many transitive libraries (AWS, Anthropic, etc.). This is likely benign (pulled in by the openclaw dependency), but it enlarges the supply chain. If you have strict policies, review the lockfile and run an npm audit and dependency review before installation. - Verify the configured storagePath and file permissions (default: ~/.openclaw/state/tasks/tasks.json) so the plugin only has access where you expect. Consider running the plugin in an environment or user account with limited filesystem scope if you have concerns. - If the author can confirm (a) the always:true metadata is accidental or can be removed, and (b) the transitive dependency set is expected (e.g., from openclaw), this would lower the risk and could change the assessment to benign. Confidence notes: assessment is medium confidence because the code is readable and matches its stated purpose, but the metadata/install inconsistencies and large transitive dependency tree are unexplained and warrant confirmation.

Review Dimensions

Purpose & Capability: noteThe name, description, SKILL.md, plugin manifest, and source files all implement a local task manager that stores data in a JSON file (default: ~/.openclaw/state/tasks/tasks.json). That functionality is coherent with the stated purpose. Minor inconsistency: the registry metadata says "No install spec — instruction-only skill," but the package contains a full npm project, build step, and explicit install instructions in README/SKILL.md.
Instruction Scope: noteRuntime instructions and the skills SKILL.md are narrowly scoped to task creation, listing, updates, and agenda views. They do not instruct the agent to read unrelated system files or call out to external endpoints. However, the skills/tasks/SKILL.md includes metadata {"openclaw":{"always":true}} which requests force-inclusion (see persistence_privilege) and is a notable instruction-scope divergence from typical skill behavior.
Install Mechanism: noteThere is no formal install spec in the registry, but README/SKILL.md instructs npm install, npm run build, and openclaw plugins install/enable. The package is a normal Node project with a package-lock.json. The lockfile contains many transitive packages (AWS, Anthropic SDKs, etc.), likely pulled in by transitive dependencies (openclaw), which increases attack surface even though no external arbitrary URLs or shorteners are used.
Credentials: okThe skill declares no required environment variables or credentials. The plugin operates on a local JSON file path (configurable) and uses standard Node fs/os APIs. Requested configuration (storagePath, agenda horizon, auto-archive days) is proportional to the plugin's purpose.
Persistence & Privilege: concernThe embedded skills/tasks/SKILL.md contains metadata requesting always: true (force-include in every agent run). Always:true combined with autonomous invocation increases blast radius if the plugin or its transitive deps are compromised. The manifest (openclaw.plugin.json) does not set always; this inconsistency should be clarified before installation.