@@ -440,12 +440,8 @@ When in doubt, raise the abstraction level: define the capability first, then le
|
440 | 440 | Native OpenClaw plugins run **in-process** with the Gateway. They are not sandboxed. A loaded native plugin has the same process-level trust boundary as core code. |
441 | 441 | |
442 | 442 | <Warning> |
443 | | -Implications: |
444 | | - |
445 | | -- a native plugin can register tools, network handlers, hooks, and services |
446 | | -- a native plugin bug can crash or destabilize the gateway |
447 | | -- a malicious native plugin is equivalent to arbitrary code execution inside the OpenClaw process |
448 | | -</Warning> |
| 443 | +Native plugin implications: a plugin can register tools, network handlers, hooks, and services; a plugin bug can crash or destabilize the gateway; and a malicious native plugin is equivalent to arbitrary code execution inside the OpenClaw process. |
| 444 | +</Warning> |
449 | 445 | |
450 | 446 | Compatible bundles are safer by default because OpenClaw currently treats them as metadata/content packs. In current releases, that mostly means bundled skills. |
451 | 447 | |
@@ -454,13 +450,8 @@ Use allowlists and explicit install/load paths for non-bundled plugins. Treat wo
|
454 | 450 | For bundled workspace package names, keep the plugin id anchored in the npm name: `@openclaw/<id>` by default, or an approved typed suffix such as `-provider`, `-plugin`, `-speech`, `-sandbox`, or `-media-understanding` when the package intentionally exposes a narrower plugin role. |
455 | 451 | |
456 | 452 | <Note> |
457 | | -**Trust note:** |
458 | | - |
459 | | -- `plugins.allow` trusts **plugin ids**, not source provenance. |
460 | | -- A workspace plugin with the same id as a bundled plugin intentionally shadows the bundled copy when that workspace plugin is enabled/allowlisted. |
461 | | -- This is normal and useful for local development, patch testing, and hotfixes. |
462 | | -- Bundled-plugin trust is resolved from the source snapshot — the manifest and code on disk at load time — rather than from install metadata. A corrupted or substituted install record cannot silently widen a bundled plugin's trust surface beyond what the actual source claims. |
463 | | -</Note> |
| 453 | +**Trust note:** `plugins.allow` trusts **plugin ids**, not source provenance. A workspace plugin with the same id as a bundled plugin intentionally shadows the bundled copy when that workspace plugin is enabled/allowlisted. This is normal and useful for local development, patch testing, and hotfixes. Bundled-plugin trust is resolved from the source snapshot — the manifest and code on disk at load time — rather than from install metadata. A corrupted or substituted install record cannot silently widen a bundled plugin's trust surface beyond what the actual source claims. |
| 454 | +</Note> |
464 | 455 | |
465 | 456 | ## Export boundary |
466 | 457 | |
|