plugins install: --trust flag undocumented / dangerous code blocks community plugins that use child_process

[zeolenon]

Summary

When trying to install a community plugin (openclaw-codex-app-server) that legitimately uses child_process (to spawn the Codex CLI), installation is blocked with no way to proceed:

```
WARNING: Plugin "openclaw-codex-app-server" contains dangerous code patterns: Shell command execution detected (child_process) (src/client.ts:660)
Plugin "openclaw-codex-app-server" installation blocked: dangerous code patterns detected
```

Steps to reproduce

```bash
openclaw plugins install openclaw-codex-app-server

or

openclaw plugins install openclaw-codex-app-server --dangerously-force-unsafe-install
```

Both commands result in the same blocked error.

Expected behavior

--dangerously-force-unsafe-install should bypass the block (as its name implies), or there should be a --trust flag (which the error message and community docs suggest exists, but does not).

Workaround

Manually add the plugin ID to plugins.allow in openclaw.json after the plugin is already present in ~/.openclaw/extensions/:

```bash
openclaw config set plugins.allow '["openclaw-codex-app-server", ...]'
openclaw gateway restart
```

This is not documented and is hard to discover.

Context

• OpenClaw version: 2026.3.31 (213a704)
• macOS (darwin)
• Plugin: openclaw-codex-app-server@0.5.0 (community, source-linked on ClawHub)

[zeolenon]

Workaround that worked for me on macOS with OpenClaw 2026.3.31:

The normal install path was still blocked even with --dangerously-force-unsafe-install:

openclaw plugins install --dangerously-force-unsafe-install openclaw-codex-app-server

That still failed with the dangerous-code child_process block, so I upgraded the plugin manually to 0.5.0 and it loaded correctly afterwards. Steps I used:

cd /tmp
npm --userconfig /tmp/empty-npmrc pack openclaw-codex-app-server@0.5.0
rm -rf /tmp/openclaw-cas-050
mkdir -p /tmp/openclaw-cas-050
tar -xzf openclaw-codex-app-server-0.5.0.tgz -C /tmp/openclaw-cas-050

Then I reviewed the flagged child_process usage in src/client.ts and it matched the plugin's expected behavior (spawn(this.command, ["app-server", ...this.args], ...)).

After that I replaced the files under ~/.openclaw/extensions/openclaw-codex-app-server with the unpacked package contents (keeping the existing install path), updated the install record in ~/.openclaw/openclaw.json from 0.3.0 to 0.5.0, and restarted the gateway.

After the manual upgrade, this matched the expected state:

openclaw plugins inspect openclaw-codex-app-server
# Status: loaded
# Version: 0.5.0
# Recorded version: 0.5.0

So there seems to be a real bug/regression here: the documented unsafe-install override is still not bypassing the dangerous-code gate for this package via ClawHub, even though the manual install of the same 0.5.0 package works.

[huntharo]

Fixed by #60066