npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

openclaw-scanner

v0.7.0

Published

OpenClaw Scanner — ingress review and egress blocking plugin for OpenClaw agents.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

moltpodmoltpod

Keywords

openclawpluginsecurityscannerocsingressegressprompt-injectionclamavantivirus

Readme

OpenClaw Scanner (OCS)

npm version License: MIT

openclaw-scanner is an essential part of a broader OpenClaw security posture. It adds two checks around the model loop: on ingress, it reviews untrusted tool output through a configured review model before the next model turn; on egress, it reviews risky tool actions through a configured review model before they execute. It also records whether files and packages touched by a tool call were scanned. Today that per-call scanner coverage comes from ClamAV and OSV-Scanner.

If your agent downloads files or installs packages, we recommend running openclaw-scand. If it can run exec-capable or other high-impact tools, we recommend adding openclaw-action-reviewd too.

Recommended Setups

| Tier | Components | Recommended for | |------|-----------|-----------------| | Plugin only | openclaw-scanner | Chat-first or otherwise low-risk profiles | | Plugin + scan daemon | openclaw-scanner + openclaw-scand | Any profile that downloads files or installs packages | | Plugin + scan daemon + approval service | openclaw-scanner + openclaw-scand + openclaw-action-reviewd | Exec-capable or other high-impact profiles |

Quick Start

Install the plugin inside OpenClaw:

openclaw plugins install openclaw-scanner

If you also want the helper daemons, install the package on the host so the binaries are available to your service manager:

npm install -g openclaw-scanner

The npm package ships openclaw-scand and openclaw-action-reviewd. It does not create system services for them, and it does not install ClamAV or OSV-Scanner for you. Those are supplementary packages you also need.

openclaw-scand isolates file and package scanning. openclaw-action-reviewd isolates approval ownership for ask-level actions.

If you want help choosing a deployment tier or wiring the helper daemons into a real host, email [email protected].

Mental Model

1. Two Guards, Two Doors

┌──────────────────────────────┐         ┌───────────────────────┐         ┌──────────────────────────────┐
│ Outside World                │         │ AI Agent / OpenClaw   │         │ Outside World                │
│ web pages, APIs, tool output │ ─────▶  │ your pod runtime      │ ─────▶  │ email, shell, git, deploys  │
└──────────────────────────────┘         └───────────────────────┘         └──────────────────────────────┘
               ▲                                         ▲                                         ▲
               │                                         │                                         │
        Ingress Guard                             decides what the                           Egress Guard
      "What's coming in?"                         agent actually sees                      "What's going out?"
      - prompt injection?                                                                   - safe to run?
      - hostile instructions?                                                                - secrets or exfil?
      - wrap or quarantine it?                                                               - needs approval?

2. Ingress Review For Untrusted Tool Output

Agent calls browser tool
        │
        ▼
Gets webpage HTML back
        │
        ▼
Is this tool trusted or untrusted?
(browser = untrusted content source)
        │
        ▼
Ingress review scans the content
┌───────────────┬───────────────┬──────────────────────────┐
│ ALLOW         │ WARN          │ QUARANTINE               │
│ clean         │ suspicious    │ prompt injection         │
├───────────────┼───────────────┼──────────────────────────┤
│ raw content   │ wrapped as    │ replaced with            │
│ passes        │ untrusted     │ "[content quarantined]"  │
│ through       │ reference     │ the agent never sees it  │
│               │ material      │                          │
└───────────────┴───────────────┴──────────────────────────┘

3. Approval Loop For High-Impact Egress

Agent wants to run: git push --force origin main
        │
        ▼
Egress guard (`policy.mjs`) => finalAction: "ask"
reasonCode: "high_impact_shell_command"
        │
        ▼
OpenClaw runtime only supports "allow" or "block"
so the first attempt becomes a BLOCK with a structured reason
        │
        ▼
Agent tells the user:
"Security requires approval for this action: force push"
        │
        ▼
User replies: "Do it"
        │
        ▼
Approval-intent review records approval for that exact action
        │
        ▼
Agent retries git push --force origin main
        │
        ▼
Egress guard finds the stored approval and ALLOWS it once

Read Next

Start here:

  • Deployment — what to install, what the helper daemons need, and when each tier makes sense
  • Configuration — default behavior, common config knobs, and example configs
  • Operations — reports, ledgers, logs, and smoke-test entry points

Understand the model:

  • Architecture — where ingress, egress, scanning, approvals, and exec posture fit together
  • Scanning — what ClamAV and OSV-Scanner cover today, and what they do not
  • Limitations — current runtime boundaries
  • Roadmap — future work such as artifact taint and script re-checks

Deep reference:

Related Projects

  • OpenClaw — the agent runtime this plugin extends
  • ClamAV — the malware scanner OCS uses for file scanning
  • OSV-Scanner — the package vulnerability scanner OCS uses for SCA
  • bubblewrap — the Linux sandbox openclaw-scand uses to isolate OSV-Scanner
  • MoltPod — managed cloud hosting for OpenClaw agents