Plugin scanner — DefenseClaw

Overview

OpenClaw plugins live in ~/.openclaw/plugins/ and load at agent startup. A malicious plugin can intercept fetch, read the filesystem, or patch global prototypes. The plugin scanner inspects every plugin directory before OpenClaw loads it.

What it scans

• package.json — declared permissions, entry points, dependencies.
• Entry JS/TS file — AST analysis for dangerous APIs.
• Dependency tree — transitive node_modules, flagged against an advisory database.
• Signatures — package.json#signed_by or detached signature files.

Analyzers

Configuration

scanners:
  plugin:
    enabled: true
    profile: balanced
    analyzers:
      manifest_integrity: true
      dangerous_apis: true
      dependency_audit: true
      network_usage: true
      signature_verification: true
    dangerous_apis_allowlist:
      # per-plugin allowances (rare; require signed manifest)
      - plugin: "@internal/power-user-kit"
        allow: ["child_process.exec"]

Sandboxed dynamic analysis (opt-in)

For high-stakes installs, you can opt into a sandbox run:

scanners:
  plugin:
    dynamic_analysis: true
    dynamic_timeout_ms: 5000

The scanner loads the plugin inside OpenShell sandbox with fetch replaced by a recorder. Every outbound request is logged; any request outside the declared allow-list fails the scan. Dynamic analysis is slower (seconds per plugin) — only enable for sensitive deployments.

CLI

defenseclaw plugin scan ./plugins/my-plugin
defenseclaw plugin list --json
defenseclaw plugin quarantine <name>

See plugin CLI.

Findings

Related

• Skill scanner
• OpenShell sandbox
• plugin CLI