fix(security): harden plugin/hook npm installs

2026-03-08 06:54:24 +00:00 · 2026-02-14 14:07:07 +01:00
parent d69b32a073
commit 6f7d31c426
10 changed files with 391 additions and 119 deletions
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -44,6 +44,9 @@ openclaw plugins install <path-or-spec>

 Security note: treat plugin installs like running code. Prefer pinned versions.

+Npm specs are **registry-only** (package name + optional version/tag). Git/URL/file
+specs are rejected. Dependency installs run with `--ignore-scripts` for safety.
+
 Supported archives: `.zip`, `.tgz`, `.tar.gz`, `.tar`.

 Use `--link` to avoid copying a local directory (adds to `plugins.load.paths`):