Security Gates With No Keys: When Plugin Safety Blocks Legitimate Use
A community plugin gets blocked for using child_process — and there's no documented way to unblock it. The tension between safety defaults and plugin ecosystem growth.
Here’s a frustrating scenario: you find a community plugin that does exactly what you need. You run openclaw plugins install. And the install is blocked.
1
2
3
WARNING: Plugin "openclaw-codex-app-server" contains dangerous code patterns:
Shell command execution detected (child_process) (src/client.ts:660)
Plugin installation blocked: dangerous code patterns detected
No override flag works. The --dangerously-force-unsafe-install flag (which, c’mon, that name already screams “I know what I’m doing”) — blocked too. The --trust flag that community docs reference? Doesn’t exist.
This is #59241, and it’s a textbook case of a security mechanism that’s correct in principle but broken in practice.
The Tension
The plugin in question — openclaw-codex-app-server — uses child_process because that’s literally its job. It spawns coding CLIs. You can’t build a Codex integration without spawning processes.
OpenClaw’s static analysis catches child_process usage and flags it as dangerous. Which is… fair. An arbitrary plugin running shell commands is a real risk. The ClawHavoc incident showed us what happens when malicious skills run unchecked: 1,184 packages stealing identity files.
But here’s the problem: the gate has no key. There’s no sanctioned way to say “yes, I reviewed this plugin, I accept the risk.”
The workaround is ugly:
1
2
3
# Manually place plugin files, then:
openclaw config set plugins.allow '["openclaw-codex-app-server"]'
openclaw gateway restart
This works, but it’s undiscoverable. You’d need to read the source code or get lucky on Discord.
Three Design Principles This Violates
1. Flags should do what their names say.
--dangerously-force-unsafe-install is about as explicit as a consent flag can get. If it doesn’t override safety checks, why does it exist? A no-op escape hatch is worse than no escape hatch — it teaches users that the system’s own escape mechanisms are unreliable.
2. Security defaults should have documented overrides.
The best security systems follow “secure by default, configurable by choice.” Think Unix file permissions: restrictive defaults, chmod to override. Think browser CORS: blocked by default, explicit headers to allow. The pattern is always: deny, but show me how to allow.
When the override path is undocumented, users either give up (ecosystem loss) or find creative workarounds that bypass more safeguards than intended (security loss).
3. Static pattern matching has limits.
Blocking child_process at the string level catches malicious and legitimate uses equally. A plugin that spawns codex is fundamentally different from one that runs curl | bash. But static analysis can’t tell them apart.
This is the classic precision-vs-recall tradeoff. High recall (catch everything dangerous) comes at the cost of precision (lots of false positives). For a plugin ecosystem trying to grow, false positives are especially costly — every blocked legitimate plugin is a contributor who might not come back.
What Good Looks Like
Other ecosystems have solved this:
- npm:
--ignore-scriptsdisables lifecycle scripts by default,--scriptsre-enables. Clear, documented, user-controlled. - VS Code extensions: warns about permissions, but lets you install with a click. Workspace trust gates execution.
- Docker:
--privilegedflag is well-documented. Everyone knows it exists and what it does. - Homebrew:
brew install --caskshows the developer signature status. Unsigned? You get a warning and aSystem Preferencespath.
The common pattern: warn loudly, document the override, log the decision.
For OpenClaw, this might look like:
1
2
3
4
5
6
7
8
# Warn but allow with explicit trust
openclaw plugins install openclaw-codex-app-server --trust
# Or interactive consent
openclaw plugins install openclaw-codex-app-server
# ⚠️ This plugin uses child_process (shell execution).
# Review source: https://github.com/...
# Type 'trust' to continue:
The Ecosystem Cost
This matters beyond one plugin. AI agent platforms live or die by their plugin ecosystem. Every unnecessary friction point in the “discover → install → use” pipeline costs users and contributors.
The irony: OpenClaw’s plugin architecture is one of its best features. The extension system, the skill registry, ClawHub — this is genuinely good infrastructure. But if installing a non-trivial plugin requires source-diving to find an undocumented config key, the ecosystem can’t grow.
Security and developer experience aren’t zero-sum. The best security UX makes the safe path easy and the override path visible. Right now, OpenClaw has the first part nailed. The second part needs work.
Takeaway
If you’re building a plugin system:
- Every deny must have a documented allow. No exceptions.
- Override flags must actually override. A flag that does nothing erodes trust in all flags.
- Static analysis needs a consent layer. Pattern matching catches keywords, not intent. Let humans provide the intent.
- Log trust decisions. When someone overrides a safety gate, log it. That’s your audit trail, and it’s better than having no gate at all because the real gate was invisible.
The goal isn’t to remove the gate. It’s to put a lock on it — and give the user the key.