fix(plugins): require owner for plugin writes#93353
Conversation
|
Codex review: needs maintainer review before merge. Reviewed June 15, 2026, 12:47 PM ET / 16:47 UTC. Summary PR surface: Source +11, Tests +118. Total +129 across 3 files. Reproducibility: Do we have a high-confidence way to reproduce the issue? Yes from source path inspection and the contributor's terminal proof: current main lacks an owner guard before plugin write mutation, while PR head blocks a Telegram-shaped authorized non-owner before persistence. Review metrics: 1 noteworthy metric.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Mantis proof suggestion Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Land this only after a maintainer explicitly accepts the fail-closed plugin write policy and confirms the owner/admin boundary is the desired upgrade behavior for existing channel users. Do we have a high-confidence way to reproduce the issue? Do we have a high-confidence way to reproduce the issue? Yes from source path inspection and the contributor's terminal proof: current main lacks an owner guard before plugin write mutation, while PR head blocks a Telegram-shaped authorized non-owner before persistence. Is this the best way to solve the issue? Is this the best way to solve the issue? Yes for the plugin write boundary: the guard is placed before side effects, keeps read-only plugin commands available, and preserves Gateway AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against f00de6b06a32. Label changesLabel justifications:
Evidence reviewedPR surface: Source +11, Tests +118. Total +129 across 3 files. View PR surface stats
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. Re-review progress:
|
|
🦞👀 Command router queued. I will update this comment with the next step. |
|
Behavioral proof for the plugin write authorization change. I ran a disposable terminal scenario against the PR head ( Command run: Redacted output: What this proves:
Focused validation also still passes:
|
|
@clawsweeper re-review |
1 similar comment
|
@clawsweeper re-review |
|
🦞👀 Command router queued. I will update this comment with the next step. |
|
🦞👀 Command router queued. I will update this comment with the next step. |
Summary of All Checks CompletedRelevanceThree independent checks confirmed the vulnerability is in scope (CWE-862/CWE-269 — Missing Authorization / Improper Privilege Management, CVSS 8.8 High), still present on current CompatibilityA dedicated compatibility assessment found no supported user contract break. The PR does not change exported APIs, config schemas, CLI flags, Gateway protocol messages, plugin SDK types, storage formats, or docs contracts. The only newly blocked behavior is the vulnerability itself — a channel-authorized non-owner sender mutating trusted plugin state. Owner senders and Gateway ClawSweeperClawSweeper reviewed the PR twice. The first review rated patch quality as platinum hermit but blocked on missing real behavior proof. After terminal-based behavioral proof was posted showing a non-owner channel Code Reviews CompletedMultiple code reviews examined the implementation: the targeted 11-line production diff, the 17 regression tests, the three-layer authorization gate (Gateway scope → owner/admin → Nix mode), the use of existing Checks Completed
Abbreviations
|
Mantis Telegram Desktop ProofSummary: Mantis captured native Telegram Desktop before/after GIF evidence for the plugin write authorization change.
Motion-trimmed clips: Raw QA files: https://artifacts.openclaw.ai/mantis/telegram-desktop/pr-93353/run-27560292964-1/index.json |




Summary
Require owner identity or Gateway
operator.adminbefore/plugins install,/plugins enable, or/plugins disablecan mutate trusted plugin state.Changes
/plugins listand/plugins inspectbehavior for authorized senders.operator.adminfor plugin install and toggle commands.Validation
corepack pnpm exec oxfmt --write src/auto-reply/reply/commands-plugins.ts src/auto-reply/reply/commands-plugins.install.test.ts src/auto-reply/reply/commands-plugins.test.tsnode scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply-reply.config.ts src/auto-reply/reply/commands-plugins.install.test.ts src/auto-reply/reply/commands-plugins.test.ts --reporter=dotpassed: 2 files, 17 tests.git diff --check.agents/skills/autoreview/scripts/autoreview --mode localreturned clean: no accepted/actionable findings.Notes
operator.adminis required for plugin writes.CHANGELOG.mdwas not updated.openclawlatest is2026.6.6, and localv2026.6.6still has the prior write-command gate.