Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Plugin allowlist empty warning is unactionable and alarming for first-time users [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#68780Fetched 2026-04-19 15:07:38
View on GitHub
Comments
1
Participants
2
Timeline
1
Reactions
0
Author
JIRBOYJIRBOY
Participants
gongli0929gongli0929JIRBOYJIRBOY
Timeline (top)
commented ×1

Error Message

  1. Differentiate bundled vs third-party warning levels: Bundled plugins without install records should emit info, not warn

Root Cause

Source tracing (src/plugins/loader.ts:1326-1401):

  1. warnWhenAllowlistIsOpen (lines 1326-1361):

    • Triggers when plugins.allow is empty AND non-bundled plugins are discovered
    • On first boot, all extensions (including bundled ones like feishu, whatsapp) are discovered in ~/.openclaw/extensions/
    • Users do not know whether to put plugin IDs or channel IDs in plugins.allow

  2. warnAboutUntrackedLoadedPlugins (lines 1363-1401):

    • Warns "loaded without install/load-path provenance" for every plugin lacking provenance records
    • Even official bundled plugins trigger this warning if install records are missing

  3. Plugin ID vs Channel ID confusion:

    • Configuration uses channel IDs (e.g., "feishu"), but plugins.allow expects plugin IDs (e.g., "openclaw-lark")
    • Users configure "feishu" but the actual plugin ID is "openclaw-lark", causing a mismatch

Code Example

[plugins] plugins.allow is empty; discovered non-bundled plugins may auto-load: openclaw-lark, openclaw-weixin
[plugins] openclaw-lark: loaded without install/load-path provenance

---

[plugins] Discovered plugins: openclaw-lark, openclaw-weixin
   To explicitly trust them, add to openclaw.json:
   "plugins": { "allow": ["openclaw-lark", "openclaw-weixin"] }
RAW_BUFFERClick to expand / collapse

Problem

After a fresh install or upgrade, users see:

[plugins] plugins.allow is empty; discovered non-bundled plugins may auto-load: openclaw-lark, openclaw-weixin
[plugins] openclaw-lark: loaded without install/load-path provenance

These warnings are unactionable for new users — they have not configured anything yet and do not know what to configure.

Root Cause Analysis

Source tracing (src/plugins/loader.ts:1326-1401):

  1. warnWhenAllowlistIsOpen (lines 1326-1361):

    • Triggers when plugins.allow is empty AND non-bundled plugins are discovered
    • On first boot, all extensions (including bundled ones like feishu, whatsapp) are discovered in ~/.openclaw/extensions/
    • Users do not know whether to put plugin IDs or channel IDs in plugins.allow

  2. warnAboutUntrackedLoadedPlugins (lines 1363-1401):

    • Warns "loaded without install/load-path provenance" for every plugin lacking provenance records
    • Even official bundled plugins trigger this warning if install records are missing

  3. Plugin ID vs Channel ID confusion:

    • Configuration uses channel IDs (e.g., "feishu"), but plugins.allow expects plugin IDs (e.g., "openclaw-lark")
    • Users configure "feishu" but the actual plugin ID is "openclaw-lark", causing a mismatch

Suggested Fixes

  1. Suppress allowlist warnings on first boot: Detect first-time startup (no user config file) and skip the warning
  2. Make warnings actionable: Show exactly what to configure, e.g.: 
    [plugins] Discovered plugins: openclaw-lark, openclaw-weixin
To explicitly trust them, add to openclaw.json:
"plugins": { "allow": ["openclaw-lark", "openclaw-weixin"] }
  3. Auto-map channel IDs to plugin IDs: When a channel ID is used in config, automatically resolve it to the corresponding plugin ID
  4. Differentiate bundled vs third-party warning levels: Bundled plugins without install records should emit info, not warn
  5. Only load configured plugins from extensions directory: Plugins discovered in ~/.openclaw/extensions/ should only load if explicitly declared in config

Related Files

  • src/plugins/loader.ts (warnWhenAllowlistIsOpen, warnAboutUntrackedLoadedPlugins)
  • src/plugins/discovery.ts
  • src/plugins/roots.ts
  • src/config/types.plugins.ts

extent analysis

TL;DR

Suppress allowlist warnings on first boot by detecting the absence of a user config file and skipping the warning to prevent confusing new users.

Guidance

  • Modify the warnWhenAllowlistIsOpen function in src/plugins/loader.ts to check for the presence of a user config file before triggering the warning.
  • Update the warning message to provide actionable instructions, such as specifying the exact configuration changes required to trust discovered plugins.
  • Consider implementing a mechanism to auto-map channel IDs to plugin IDs to reduce user confusion.
  • Review the warning levels for bundled plugins without install records to ensure they are not unnecessarily alarming.

Example

// src/plugins/loader.ts
if (userConfigFileExists() && plugins.allow.isEmpty() && nonBundledPluginsDiscovered) {
  // Trigger warning with actionable instructions
  console.warn(`[plugins] Discovered plugins: ${nonBundledPluginsDiscovered.join(', ')}\nTo explicitly trust them, add to openclaw.json: "plugins": { "allow": ["${nonBundledPluginsDiscovered.join('", "')}"] }`);
}

Notes

The provided suggestions focus on improving the user experience and reducing confusion. However, a more comprehensive solution may require additional changes to the plugin loading and configuration mechanisms.

Recommendation

Apply the workaround by suppressing allowlist warnings on first boot and providing actionable instructions in the warning message, as this approach addresses the immediate issue and improves user experience.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#response parsing#generation error#database connection#vector store#embedding generation

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix Plugin allowlist empty warning is unactionable and alarming for first-time users [1 comments, 2 participants]