Clawctl
Security Check

Plugin Allowlist: Trust Only What You Need

OpenClaw plugins run with the same OS privileges as the gateway. Without an allowlist, any installed plugin loads automatically.

Why It Matters

A malicious or compromised plugin has full gateway-level access — it can read conversations, modify responses, access tools, and exfiltrate data. An explicit allowlist ensures only reviewed, trusted plugins can load.

How to Fix

Add a plugins.allow array listing only the plugin IDs you need. Review plugins before adding them to the allowlist.

openclaw.json
{
  "plugins": {
    "allow": ["telegram", "discord", "web"]
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.