Summary

• Problem: OpenClaw auto-discovered and default-enabled workspace plugins from .openclaw/extensions, so cloned repositories could execute plugin code without an explicit trust decision.
• Why it matters: running the gateway inside an untrusted cloned repo could execute arbitrary workspace plugin code on the host.
• What changed: workspace-discovered plugins are now disabled by default unless explicitly trusted through plugins.allow or a per-plugin enable entry.
• What did NOT change (scope boundary): explicitly trusted workspace plugins still load, and non-workspace plugin trust behavior is unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related GHSA-99qw-6mr3-36qr

User-visible / Behavior Changes

Workspace-discovered plugins under .openclaw/extensions no longer auto-load by default. Operators must explicitly trust them with plugins.allow or an explicit plugin entry.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) Yes
• If any Yes, explain risk + mitigation: the change reduces implicit command/data access by requiring an explicit trust decision before workspace plugin code can execute.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 / pnpm
• Model/provider: N/A
• Integration/channel (if any): plugin loader
• Relevant config (redacted): default plugins config with empty plugins.allow

Steps

1. Create a temp workspace containing .openclaw/extensions/<id>/openclaw.plugin.json and index.ts with a side effect in register().
2. Load plugins with loadOpenClawPlugins({ workspaceDir, config: {} }).
3. Observe whether the workspace plugin is loaded automatically.

Expected

• Workspace plugin is discovered but disabled until explicitly trusted.

Actual

• With this patch, the workspace plugin is disabled by default and loads only when explicitly allowlisted.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: reproduced the pre-fix auto-load path with a temp workspace plugin; verified the patched branch disables it by default and still allows explicit trust via plugins.allow.
• Edge cases checked: explicit per-plugin enable and explicit allowlist both preserve intended workspace plugin loading.
• What you did not verify: full end-to-end gateway startup against every plugin origin.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) No
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) Maybe
• If yes, exact upgrade steps: if you intentionally use workspace plugins, add their ids to plugins.allow or explicitly enable them in plugins.entries.

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert the branch or explicitly trust the affected workspace plugin.
• Files/config to restore: src/plugins/config-state.ts
• Known bad symptoms reviewers should watch for: intentionally used workspace plugins no longer loading until trusted.

Risks and Mitigations

• Risk: operators relying on implicit workspace plugin loading will see plugins disabled after upgrade.
• Mitigation: explicit allowlist and per-plugin enable paths continue to work, and tests cover both trust mechanisms.