openclaw - 💡(How to fix) Fix [Bug]: openclaw security audit "plugins.allow_phantom_entries" false-positives on bundled provider plugins (anthropic, brave, google, ollama, memory-core, active-memory) [1 comments, 2 participants]

What happened?

openclaw security audit reports plugins.allow_phantom_entries for plugin IDs that are actually installed and loaded. The warning lists IDs of bundled provider/utility plugins (e.g. anthropic, brave, google, ollama, memory-core, active-memory) that ship under <install-prefix>/dist/extensions/ and are visible to openclaw plugins list.

Example output on 2026.4.24:

plugins.allow_phantom_entries  plugins.allow contains entries with no matching installed plugin
  The following plugins.allow entries do not correspond to any installed plugin:
  anthropic, active-memory, brave, memory-core, google, ollama.
  Phantom entries could be exploited by registering a new plugin with an allowlisted ID.
  Fix: Remove unused entries from plugins.allow, or verify the expected plugins are installed.

But these are installed:

$ ls /opt/homebrew/lib/node_modules/openclaw/dist/extensions/ | grep -E '^(anthropic|active-memory|brave|google|memory-core|ollama)$'
active-memory
anthropic
brave
google
memory-core
ollama

$ openclaw plugins list 2>&1 | grep -E ' (anthropic|active-memory|brave|google|memory-core|ollama) '
│ Active       │ active-memory │ openclaw │ loaded   │ stock:active-memory/index.js
│ @openclaw/   │ anthropic     │ openclaw │ loaded   │ stock:anthropic/index.js
│ @openclaw/   │ brave         │ openclaw │ loaded   │ stock:brave/index.js
│ @openclaw/   │ google        │ openclaw │ loaded   │ stock:google/index.js
│ memory-core  │ core          │ openclaw │          │ OpenClaw core memory search plugin
│ @openclaw/   │ ollama        │ openclaw │ loaded   │ stock:ollama/index.js

The audit only checks two sources for "installed":

1. Directories under the user state extensions dir (~/.openclaw/extensions/).
2. listChannelPlugins() — which only returns channel plugins (slack, telegram, rocketchat, etc.).

It never inspects the bundled stock extensions dir at <install-prefix>/dist/extensions/ where provider plugins (anthropic, openai, google, …), search plugins (brave), memory plugins (memory-core, active-memory), and others live. So any time plugins.allow contains a stock-bundled provider/utility plugin ID, the audit raises a false-positive plugins.allow_phantom_entries warning.

Why this matters

• Operators are nudged to delete legitimately-allowlisted plugins to silence the warning, which would broaden the trust surface (or break loading once plugins.allow shrinks below 1 — at which point plugins.extensions_no_allowlist fires instead, sometimes as critical).
• The warning's stated risk is "phantom entries could be exploited by registering a new plugin with an allowlisted ID" — exactly the scenario where pinning trusted bundled provider IDs in plugins.allow is the right defence. Punishing that pattern is backwards.

Where the bug is

In the shipped 2026.4.24 binary (dist/audit-extra.async-BDI343HR.js), the relevant block is roughly:

const installedPluginIds = new Set(pluginDirs.map(dir => path.basename(dir).toLowerCase()));
const bundledPluginIds   = new Set(listChannelPlugins().map(p => p.id.toLowerCase()));
const phantomEntries = allow.filter(entry => {
  const lower = entry.toLowerCase();
  if (installedPluginIds.has(lower) || bundledPluginIds.has(lower)) return false;
  const canonicalId = normalizeOptionalLowercaseString(normalizePluginId(entry)) ?? "";
  return !canonicalId || !bundledPluginIds.has(canonicalId);
});

bundledPluginIds should also include stock provider/utility plugin IDs from the bundled extensions dir, not only channel plugins.

The current main (src/security/audit-plugins-trust.ts) replaces this with loadPluginRegistrySnapshot / pluginIndex.plugins, which is the right direction — but it's still possible the registry snapshot omits stock bundled extensions if the registry hasn't been refreshed (the new code emits persisted-registry-missing/stale diagnostics). It would help to confirm that plugins.allow validation falls back to filesystem inspection of the bundled extensions dir when the registry is unavailable, so operators on a fresh install or after OPENCLAW_DISABLE_PERSISTED_PLUGIN_REGISTRY=1 don't hit the same false positive.

Reproduction

1. Fresh install of openclaw 2026.4.24.
2. In ~/.openclaw/openclaw.json, set:

   "plugins": {
     "allow": [
       "anthropic",
       "active-memory",
       "brave",
       "google",
       "memory-core",
       "ollama"
     ]
   }

3. Run openclaw security audit.

Expected: No plugins.allow_phantom_entries warning (all six are installed and loaded). Actual: All six are reported as phantom entries.

Versions / environment

• OpenClaw 2026.4.24 (cbcfdf6)
• macOS 26.3 (arm64), Node 25.9.0
• Install path: /opt/homebrew/lib/node_modules/openclaw

Suggested fix

Treat the bundled dist/extensions/ directory as an additional source of valid plugin IDs in the audit's installedPluginIds set (or expand the bundledPluginIds snapshot to include all bundled plugin manifests, not just channel plugins). Mirror the same fix in the new audit-plugins-trust.ts registry path so an unrefreshed registry snapshot doesn't regress this.

I'm happy to send a PR if maintainers agree on the approach.