fix(security): block plugin install/load on critical source scan findings#11032
Closed
coygeek wants to merge 1 commit intoopenclaw:mainfrom
Closed
fix(security): block plugin install/load on critical source scan findings#11032coygeek wants to merge 1 commit intoopenclaw:mainfrom
coygeek wants to merge 1 commit intoopenclaw:mainfrom
Conversation
…ings The existing skill-scanner was invoked during plugin installation but operated in warn-only mode, allowing plugins with dangerous code patterns (eval, child_process exec, crypto mining, env harvesting) to install and load without restriction. This change: - Makes installPluginFromPackageDir() block installation when critical scan findings are detected (with skipScan escape hatch for --force) - Adds source scanning to installPluginFromFile() which previously had no scanning at all - Adds pre-load scanning in the plugin loader before jiti() execution, preventing already-installed malicious plugins from being loaded - Propagates skipScan parameter through all install API entry points Scan failures are non-blocking (logged as warnings) to avoid breaking legitimate plugins due to scanner errors. Co-Authored-By: Claude Opus 4.6 <[email protected]>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+295
to
+324
| // Scan plugin source for dangerous code patterns before loading | ||
| if (isScannable(candidate.source)) { | ||
| try { | ||
| const rawSource = fs.readFileSync(candidate.source, "utf-8"); | ||
| const scanFindings = scanSource(rawSource, candidate.source); | ||
| const criticalFindings = scanFindings.filter((f) => f.severity === "critical"); | ||
| if (criticalFindings.length > 0) { | ||
| const details = criticalFindings | ||
| .map((f) => `${f.message} (line ${f.line})`) | ||
| .join("; "); | ||
| logger.error( | ||
| `[plugins] ${pluginId} blocked from loading: dangerous code patterns detected in ${candidate.source}: ${details}`, | ||
| ); | ||
| record.status = "error"; | ||
| record.error = `blocked: dangerous code patterns detected: ${details}`; | ||
| registry.plugins.push(record); | ||
| seenIds.set(pluginId, candidate.origin); | ||
| registry.diagnostics.push({ | ||
| level: "error", | ||
| pluginId: record.id, | ||
| source: record.source, | ||
| message: record.error, | ||
| }); | ||
| continue; | ||
| } | ||
| } catch { | ||
| // Scan failure should not prevent loading — log and continue | ||
| logger.warn(`[plugins] ${pluginId} source scan failed for ${candidate.source}`); | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
Crash on scan error
The new pre-load scan path uses logger.warn(...) in the catch block, but logger comes from options.logger ?? defaultLogger() where the PluginLogger type is optional methods in some call sites. Elsewhere in this file you consistently use optional chaining (e.g. logger.error?.(...)). If logger.warn is undefined, this catch block will throw and abort plugin loading whenever scanning throws.
Suggested change
| // Scan plugin source for dangerous code patterns before loading | |
| if (isScannable(candidate.source)) { | |
| try { | |
| const rawSource = fs.readFileSync(candidate.source, "utf-8"); | |
| const scanFindings = scanSource(rawSource, candidate.source); | |
| const criticalFindings = scanFindings.filter((f) => f.severity === "critical"); | |
| if (criticalFindings.length > 0) { | |
| const details = criticalFindings | |
| .map((f) => `${f.message} (line ${f.line})`) | |
| .join("; "); | |
| logger.error( | |
| `[plugins] ${pluginId} blocked from loading: dangerous code patterns detected in ${candidate.source}: ${details}`, | |
| ); | |
| record.status = "error"; | |
| record.error = `blocked: dangerous code patterns detected: ${details}`; | |
| registry.plugins.push(record); | |
| seenIds.set(pluginId, candidate.origin); | |
| registry.diagnostics.push({ | |
| level: "error", | |
| pluginId: record.id, | |
| source: record.source, | |
| message: record.error, | |
| }); | |
| continue; | |
| } | |
| } catch { | |
| // Scan failure should not prevent loading — log and continue | |
| logger.warn(`[plugins] ${pluginId} source scan failed for ${candidate.source}`); | |
| } | |
| } | |
| logger.warn?.(`[plugins] ${pluginId} source scan failed for ${candidate.source}`); |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/plugins/loader.ts
Line: 295:324
Comment:
**Crash on scan error**
The new pre-load scan path uses `logger.warn(...)` in the `catch` block, but `logger` comes from `options.logger ?? defaultLogger()` where the `PluginLogger` type is optional methods in some call sites. Elsewhere in this file you consistently use optional chaining (e.g. `logger.error?.(...)`). If `logger.warn` is undefined, this catch block will throw and abort plugin loading whenever scanning throws.
```suggestion
logger.warn?.(`[plugins] ${pluginId} source scan failed for ${candidate.source}`);
```
How can I resolve this? If you propose a fix, please make it concise.
Contributor
Additional Comments (2)
Prompt To Fix With AIThis is a comment left during a code review.
Path: src/plugins/install.test.ts
Line: 373:408
Comment:
**Behavior change breaks test**
`installPluginFromPackageDir` now blocks installs on *critical* scan findings unless `skipScan` is set, but this test still expects installs with `child_process.exec(...)` to succeed. As written, it will now fail deterministically because `dangerous-exec` is `critical` in `src/security/skill-scanner.ts`. Update the test to either expect a blocked install, or pass `skipScan: true` and assert the overridden-warning message.
How can I resolve this? If you propose a fix, please make it concise.
This test also expects the install to succeed while the extension entry contains Prompt To Fix With AIThis is a comment left during a code review.
Path: src/plugins/install.test.ts
Line: 410:445
Comment:
**Critical scan now blocks**
This test also expects the install to succeed while the extension entry contains `child_process.exec(...)`, which the scanner marks as `critical`. After this PR, `installPluginFromPackageDir` returns `{ ok: false }` unless `skipScan` is set, so this assertion will now fail. Adjust expectations (blocked vs overridden with `skipScan: true`) to match the new behavior.
How can I resolve this? If you propose a fix, please make it concise. |
This was referenced Feb 7, 2026
thewilloftheshadow
force-pushed
the
main
branch
from
bfc1ccb to
f92900f
Compare
|
This pull request has been automatically marked as stale due to inactivity. |
openclaw-barnacle
bot
added
stale
Contributor
Author
|
Closing: linked issue #11030 was closed as not planned. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Summary
Add source code scanning at both plugin install and load time. The existing
skill-scanner.tsmodule already detects dangerous patterns (child_process, eval/new Function, crypto mining, obfuscated code, env harvesting) but its findings were warn-only at install time and completely absent at load time.Changes:
scanDirectoryWithSummary()blocking on critical findings (was warn-only). Add scanning toinstallPluginFromFile()which previously had zero checks. AddskipScanparameter for--forceflag support.jiti(candidate.source)call. Block loading when critical findings detected.Issue Linkage
Fixes #11030
Security Snapshot
Implementation Details
Files Changed
src/plugins/install.ts(+52/-3)src/plugins/loader.ts(+32/-0)Technical Analysis
Add source code scanning at both plugin install and load time. The existing
skill-scanner.tsmodule already detects dangerous patterns (child_process, eval/new Function, crypto mining, obfuscated code, env harvesting) but its findings were warn-only at install time and completely absent at load time.Validation Evidence
install.tsRisk and Compatibility
non-breaking; compatibility impact was not explicitly documented in the original PR body.
AI-Assisted Disclosure
Greptile Overview
Greptile Summary
skipScanescape hatch.jiti()execution when critical patterns are detected.skill-scannerlogic into both install-time and load-time plugin workflows to reduce arbitrary code execution risk.Confidence Score: 3/5
Context used:
dashboard- CLAUDE.md (source)dashboard- AGENTS.md (source)