feat(plugins): add dangerous unsafe install override

2026-04-25 23:47:20 +00:00 · 2026-03-31 23:16:01 +09:00
parent 59866dd253
commit 44b9936136
15 changed files with 337 additions and 7 deletions
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -49,6 +49,7 @@ capabilities.
 openclaw plugins install <package>                      # ClawHub first, then npm
 openclaw plugins install clawhub:<package>              # ClawHub only
 openclaw plugins install <package> --pin                # pin version
+openclaw plugins install <package> --dangerously-force-unsafe-install
 openclaw plugins install <path>                         # local path
 openclaw plugins install <plugin>@<marketplace>         # marketplace
 openclaw plugins install <plugin> --marketplace <name>  # marketplace (explicit)
@@ -57,6 +58,12 @@ openclaw plugins install <plugin> --marketplace <name>  # marketplace (explicit)
 Bare package names are checked against ClawHub first, then npm. Security note:
 treat plugin installs like running code. Prefer pinned versions.

+`--dangerously-force-unsafe-install` is a break-glass option for false positives
+in the built-in dangerous-code scanner. It allows the install to continue even
+when the built-in scanner reports `critical` findings, but it does **not**
+bypass plugin `before_install` hook policy blocks and does **not** bypass scan
+failures.
+
 `plugins install` is also the install surface for hook packs that expose
 `openclaw.hooks` in `package.json`. Use `openclaw hooks` for filtered hook
 visibility and per-hook enablement, not package installation.
--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -447,8 +447,10 @@ Plugins run **in-process** with the Gateway. Treat them as trusted code:
 - Restart the Gateway after plugin changes.
 - If you install plugins (`openclaw plugins install <package>`), treat it like running untrusted code:
  - The install path is the per-plugin directory under the active plugin install root.
+  - OpenClaw runs a built-in dangerous-code scan before install. `critical` findings block by default.
  - OpenClaw uses `npm pack` and then runs `npm install --omit=dev` in that directory (npm lifecycle scripts can execute code during install).
  - Prefer pinned, exact versions (`@scope/pkg@1.2.3`), and inspect the unpacked code on disk before enabling.
+  - `--dangerously-force-unsafe-install` is break-glass only for built-in scan false positives. It does not bypass plugin `before_install` hook policy blocks and does not bypass scan failures.

 Details: [Plugins](/tools/plugin)

--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -211,6 +211,7 @@ openclaw plugins install <package>        # install (ClawHub first, then npm)
 openclaw plugins install clawhub:<pkg>   # install from ClawHub only
 openclaw plugins install <path>          # install from local path
 openclaw plugins install -l <path>       # link (no copy) for dev
+openclaw plugins install <spec> --dangerously-force-unsafe-install
 openclaw plugins update <id>             # update one plugin
 openclaw plugins update --all            # update all

@@ -218,6 +219,11 @@ openclaw plugins enable <id>
 openclaw plugins disable <id>
 ```

+`--dangerously-force-unsafe-install` is a break-glass override for false
+positives from the built-in dangerous-code scanner. It allows installs to
+continue past built-in `critical` findings, but it still does not bypass plugin
+`before_install` policy blocks or scan-failure blocking.
+
 See [`openclaw plugins` CLI reference](/cli/plugins) for full details.

 ## Plugin API overview