Code Pluginsource linked

Gen Sagev0.8.0

Safety for Agents — ADR layer for OpenClaw

@gendigital/sage-openclaw·runtime sage-openclaw·by @tommydeeee

Community code plugin. Review compatibility and verification before install.

openclaw plugins install clawhub:@gendigital/sage-openclaw

Latest release: v0.8.0Download zip

Capabilities

Compatibility

Built With Open Claw Version

2026.3.22

Plugin Api Range

>=2026.3.28

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description claim an Agent Detection & Response layer; the package includes OpenClaw plugin metadata, a built dist extension, and many YAML threat/rule files that implement command/URL/file detection and approval flows — these requirements align with the declared purpose.

ℹ

Instruction Scope

SKILL.md (security-awareness) is narrowly scoped to guidance and listing of audit/report tools and does not ask for unrelated files or credentials. It instructs the agent to use Sage tools for listing/reporting audit entries and warns against auto-approval. However, the README and SKILL.md claim the plugin will intercept exec/web_fetch/read/write/apply_patch calls and consult cloud-based URL reputation services, so the runtime will access network and local files (home dir ~/.sage) — this is expected but important to confirm in runtime code.

✓

Install Mechanism

No download-from-arbitrary-URL install spec; the package ships as an OpenClaw plugin bundle with a built dist/index.cjs included. There is no external installer URL in the manifest and no archive extraction from unknown hosts, which lowers install risk.

Credentials

The package declares no required environment variables, but the code (dist and build scripts) clearly accesses process.env and user home (~/.sage) and writes exception/config files. More importantly, build-time code comments and runtime code use bracketed property accesses (e.g., process['env']) and an esbuild plugin that strips 'require("process")' patterns. Deliberate obfuscation of 'process' and related patterns to avoid static scanner detection is disproportionate for a security plugin and suggests the authors attempted to hide env access patterns from scanners. Confirm what network endpoints are contacted, whether any telemetry/telemetry keys are used, and whether secrets are ever transmitted.

ℹ

Persistence & Privilege

The plugin is not marked always:true and is user-invocable. It writes to per-user paths (~/.sage/exceptions.json, ~/.sage/config.json, branding file) and integrates with OpenClaw approval hooks (expected for ADR). Writing per-user config and exceptions is normal, but combined with the obfuscation above this should be reviewed to ensure it only modifies its own data and does not alter other plugins or global agent settings.

Scan Findings in Context

[system-prompt-override] unexpected: Static pre-scan flagged a 'system-prompt-override' pattern in SKILL.md. The SKILL.md contains directive-style language ("You are working in an environment protected by Sage") and tool names for reporting; while primarily guidance, the scan signal should be reviewed. More importantly, build-time comments indicate intentional evasion of scanner detection which is inconsistent with an ethics/security-first project.

What to consider before installing

This package implements an ADR/agent-safety plugin and includes the rule sets you'd expect, but there are red flags: the build script and compiled code intentionally hide 'process' and env access patterns from static scanners (esbuild plugin comments and bracketed process.env access). Before installing, do at least one of the following: (1) inspect the runtime JS (dist/index.cjs) for outgoing network calls and the exact endpoints used for URL reputation, telemetry, or false-positive reports; (2) run the plugin in a sandboxed environment and monitor network/IO to confirm it only contacts documented endpoints; (3) request clarification from the author why scanner-evasion is necessary and what data (if any) is uploaded, and ask for transparency about any telemetry or cloud API credentials used. If you cannot verify those, treat the plugin as higher risk despite its stated purpose.

✗

dist/index.cjs:4498

Environment variable access combined with network send.

✗

src/__tests__/e2e.test.ts:38

Environment variable access combined with network send.

src/__tests__/e2e.test.ts:18

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier

source linked

Scope

artifact only

Summary

Validated package structure and linked the release to source metadata.

Source

github.com/gendigitalinc/sage

Commit

5c5e576ab451

Tag

v0.8.0

Provenance

Scan status

pending

@gendigital/sage-openclaw

Safety for Agents - Agent Detection & Response (ADR) plugin for OpenClaw.

Sage intercepts tool calls (shell commands, URL fetches, file writes) and checks them against URL reputation services, local heuristic threat rules, and package supply-chain checks before they execute.

Installation

openclaw plugins install @gendigital/sage-openclaw

What It Does

Intercepts exec, web_fetch, write, edit, read, and apply_patch tool calls
Checks URLs against cloud-based malware/phishing detection
Matches commands and file paths against YAML-based threat definitions
Validates npm/PyPI packages against supply-chain risks
Scans installed plugins for threats at session start
Provides native approval dialogs for interactive approval of flagged actions

Configuration

Sage works out of the box with no configuration. Optional config file at ~/.sage/config.json:

{
  "sensitivity": "balanced",
  "url_check": { "enabled": true },
  "file_check": { "enabled": true }
}