Community code plugin. Review compatibility and verification before install.
Latest release: v0.1.0Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The purpose is coherent: a security guard that intercepts OpenClaw tool calls, outbound messages, persistence, and installs, then evaluates policy and writes audit records. The concern is that its own minimization/redaction claims do not consistently match the implementation, especially around full params in canonical events, raw session/agent subject fields, and a public raw-secret extraction helper.
Instruction Scope
Registering many lifecycle hooks is purpose-aligned for a runtime guard, but it is high-impact authority over tool execution, message sending, and installs. User-facing docs do not clearly explain all sensitive data that may be inspected or retained in audit logs.
Install Mechanism
The normal installer copies plugin, policy, schema, config, and script files into user OpenClaw and agent-runtime-guard directories. However, docs instruct PowerShell execution-policy bypass, and included prepare-speckit scripts can mutate Git state and execute unpinned remote GitHub code if run.
Credentials
Runtime behavior is mostly local and purpose-aligned, with no clear artifact-backed exfiltration or malicious network behavior and clean VirusTotal telemetry. The plugin still observes sensitive agent traffic and writes persistent local audit logs by default.
Persistence & Privilege
Persistence is expected for an OpenClaw plugin and local JSONL auditing, but the plugin can remain installed in the OpenClaw extension path and persist audit metadata; uninstall scripts leave policies and audit logs behind unless users manually remove them.
Scan Findings in Context
[SDI-4] unexpected: The OpenClawEventMapper issue is material: inspecting params is expected, but storing the raw params object as params_summary conflicts with the stated summary/minimization behavior.
[SDI-4] expected: Local audit logging is expected, but AuditLogger does not visibly apply the promised redaction boundary and persists subject/session metadata and secret-finding metadata; this supports Review rather than malicious intent.
[SDI-4] unexpected: AuditRedactor’s scanner-finding loop appears ineffective, so the advertised redaction component is unreliable even though this specific helper is not clearly wired into writeAudit.
[SDI-4] expected: findSecretText is understandable for reversible local redaction, but exporting raw secret extraction contradicts the module-level promise that outputs do not include secret plaintext.
[SQP-2] unexpected: PowerShell -ExecutionPolicy Bypass is an under-disclosed installation risk, not required by the core security purpose.
[SQP-2] expected: Merging plugin configuration is expected, but the docs should tell users to review and back up OpenClaw configuration before changing plugin permissions and startup behavior.
[SQP-2] unexpected: The PowerShell prepare-speckit helper’s git init and checkout -B behavior is not part of normal runtime protection and can unexpectedly alter a repository.
[SQP-2] unexpected: The PowerShell prepare-speckit helper executes unpinned remote code through uvx or pipx, creating supply-chain risk if the helper is run.
[SQP-2] unexpected: The shell prepare-speckit helper’s git init and checkout -B behavior is similarly risky and not necessary for the installed guard.
[SQP-2] unexpected: The shell prepare-speckit helper also executes unpinned remote GitHub code through uvx or pipx, which should be pinned or require explicit confirmation.
What to consider before installing
Install only if you are comfortable giving this plugin broad control over OpenClaw runtime decisions and letting it inspect agent messages/tool inputs and write local audit logs. Review the audit path and retained fields, avoid running the prepare-speckit scripts unless you understand the Git and remote-code effects, and prefer a version that fixes the redaction/minimization mismatches and removes the execution-policy-bypass guidance.