shoofly-plugin-scan
Scans an OpenClaw plugin directory for security issues before installation.
Usage
shoofly-plugin-scan <path-to-plugin>
Checks
- Credential patterns — API keys (sk-, ghp_, AKIA*), private keys
- Obfuscated code — long hex/base64 strings, eval(), Function() constructor
- Unusual network calls — URLs not in the trusted allowlist
- Sensitive path access — ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd, credentials
- Exec patterns — child_process.exec with variable args, shell: true
Exit codes
| Code | Meaning |
|---|
| ------ | --------- |
| 0 | Clean — no findings |
| 1 | Findings — review before installing |
| 2 | Scan error |
Allowlisted hosts
github.com, npmjs.com, openclaw.ai, clawhub.com, shoofly.dev