fix(plugins): support legacy install entry fallback

[liuxiaopai-ai]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: plugin install currently hard-fails when package.json lacks openclaw.extensions, including legacy package shapes that still ship a valid openclaw.plugin.json and conventional entry file.
• Why it matters: users cannot install older plugin packages (for example early diffs package builds) even though runtime metadata is otherwise valid.
• What changed: added a compatibility fallback in plugin install flow that accepts default entry files (./index.ts, ./index.js, ./dist/index.js) when openclaw.extensions is missing/empty but openclaw.plugin.json is valid.
• What did NOT change (scope boundary): packages without both openclaw.extensions and a valid plugin manifest remain rejected; manifest/path boundary checks and scanner behavior are unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Plugin diffs v0.1.1 install fails: package.json missing openclaw.extensions #32019

User-visible / Behavior Changes

Plugin installation now supports a legacy package format: missing openclaw.extensions no longer blocks install when a valid openclaw.plugin.json is present and a default entry file exists.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm
• Model/provider: N/A
• Integration/channel (if any): Plugin install flow
• Relevant config (redacted): plugin install into extensions dir

Steps

1. Attempt to install a plugin package missing package.json openclaw.extensions.
2. Ensure package includes valid openclaw.plugin.json and default entry file.
3. Re-run install with this branch.

Expected

• Legacy package shape installs successfully when fallback prerequisites are met.
• Packages lacking both metadata and fallback entry remain rejected.

Actual

• Before fix: immediate package.json missing openclaw.extensions failure.
• After fix: install succeeds for valid legacy shape.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Validation run on this branch:

• pnpm exec vitest run src/plugins/install.test.ts
• pnpm lint src/plugins/install.ts src/plugins/install.test.ts CHANGELOG.md
• pnpm tsgo
• pnpm exec oxfmt --check src/plugins/install.ts src/plugins/install.test.ts CHANGELOG.md

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: missing openclaw.extensions still rejects by default; valid plugin-manifest + index.ts fallback now installs and reports resolved extension list.
• Edge cases checked: fallback only activates when plugin manifest parsing succeeds; entry path must exist in package root.
• What you did not verify: end-to-end install of the exact external diffs@0.1.1 tarball from npm in this iteration.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert this PR commit.
• Files/config to restore: src/plugins/install.ts, src/plugins/install.test.ts, CHANGELOG.md.
• Known bad symptoms reviewers should watch for: plugin installs unexpectedly accepting packages with malformed manifests and no valid entry files.

Risks and Mitigations

• Risk: fallback could unintentionally broaden accepted package shapes.
  • Mitigation: fallback requires valid openclaw.plugin.json plus a concrete whitelisted default entry file that exists on disk.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Symlink-based arbitrary file read during plugin install via legacy extension fallback + scanner

---

1. 🟡 Symlink-based arbitrary file read during plugin install via legacy extension fallback + scanner

Property	Value
Severity	Medium
CWE	CWE-59
Location	src/plugins/install.ts:86-97

Description

The new legacy extension fallback logic in resolveLegacyExtensionsFallback() treats an entry as present if fileExists() returns true for path.join(packageDir, entry). The shared fileExists() helper uses fs.stat(), which follows symlinks.

This enables a malicious local directory plugin (installed via installPluginFromDir()), which includes an openclaw.plugin.json (so fallback activates) and a symlink like index.js -> /etc/passwd, to:

• Have the symlink accepted as an extension entry by the fallback (fs.stat() succeeds)
• Cause the install-time scanner to later fs.readFile() the extension entry path (via includeFiles), which will follow the symlink and read a file outside the plugin directory

While the runtime loader appears to perform boundary checks before executing the plugin entry, the install-time scan path still performs an out-of-bound file read, which is a link-resolution vulnerability.

Vulnerable code (fallback existence check):

exists: await fileExists(path.join(packageDir, entry)),

Data flow (high level):

• input: plugin-controlled filesystem entry packageDir/index.js (symlink)
• decision point: resolveLegacyExtensionsFallback() considers it existing
• sink: install-time scan reads the file content via fs.readFile() on that path (symlink-following)

Recommendation

Harden legacy fallback resolution (and ideally extension entry handling in general) against symlink/hardlink tricks.

Recommended fix: use a boundary-aware open that rejects symlinks and hardlinks (or at minimum use lstat + realpath containment) instead of fileExists().

Example (boundary open, safest):

import fs from "node:fs";
import { openBoundaryFileSync } from "../infra/boundary-file-read.js";

function safeExtensionEntryExists(packageDir: string, entry: string): boolean {
  const opened = openBoundaryFileSync({
    absolutePath: path.join(packageDir, entry),
    rootPath: packageDir,
    boundaryLabel: "plugin package directory",
    ​// openBoundaryFileSync defaults rejectHardlinks=true and uses O_NOFOLLOW
    allowedType: "file",
  });
  if (!opened.ok) return false;
  fs.closeSync(opened.fd);
  return true;
}

Then in resolveLegacyExtensionsFallback():

exists: safeExtensionEntryExists(packageDir, entry)

Also recommended: update the install-time scanner’s forced include path handling to reject symlinks/hardlinks (e.g., lstat + realpath containment) before any readFile(), so even explicitly-configured openclaw.extensions entries cannot trigger out-of-bound reads.

---

Analyzed PR: #32055 at commit ce0b3ae

_{Last updated on: 2026-03-02T19:23:48Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce0b3ae7e3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR adds backward compatibility for legacy plugin packages by implementing a fallback mechanism when package.json lacks openclaw.extensions. The fallback checks for default entry files (./index.ts, ./index.js, ./dist/index.js) when a valid openclaw.plugin.json is present.

Key changes:

• Added resolveLegacyExtensionsFallback() function that validates plugin manifest existence before attempting fallback
• Modified ensureOpenClawExtensions() to try fallback when extensions array is missing or empty
• Fallback only activates if openclaw.plugin.json is valid, maintaining security boundaries
• Added test coverage for the happy path scenario

Issues found:

• The fallback returns all matching entry files rather than the first one, which could cause duplicate plugin loading if a package contains both source and compiled versions (commented inline)

Confidence Score: 4/5

• This PR is safe to merge with one minor logic consideration that's unlikely to cause issues in practice
• The implementation correctly adds legacy plugin compatibility with proper security boundaries (hardcoded paths, manifest validation, boundary checks). One logic issue exists where multiple fallback files would all be returned instead of respecting priority order, but this edge case is unlikely in published packages which typically contain only one entry file format. The change is backward compatible and well-tested for the primary use case.
• Pay attention to src/plugins/install.ts lines 91-97 - the fallback logic could be improved to return only the first matching file

_{Last reviewed commit: ce0b3ae}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm -s vitest run src/plugins/install.test.ts -t "openclaw.extensions|legacy plugin package shape"
• Land commit: af61a26
• Merge commit: fbd1210

Thanks @liuxiaopai-ai!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: af61a26334

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve Telegram HTML for all outbound text paths

This conditional only bypasses sanitization for Telegram payloads that have channelData, but Telegram sendText/sendMedia already use textMode: "html" for normal messages too (src/channels/plugins/outbound/telegram.ts), so regular Telegram payloads now get HTML converted/stripped before send. In practice, messages like <b>hello</b> that used to render correctly will be transformed (for example to *hello*) or lose formatting when channelData is absent.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Cache hash of the actually synced Telegram command set

After a BOT_COMMANDS_TOO_MUCH retry, setMyCommands may succeed with a reduced retryCommands list, but this writes the hash of the original commandsToRegister. That records "synced" for a command set that was never applied, so subsequent runs can skip sync as unchanged and leave the bot permanently on the truncated menu unless the input list changes.

Useful? React with 👍 / 👎.