openclaw - 💡(How to fix) Fix v2026.5.12-beta.5 plugin dependency scanner blocks legitimate LanceDB/OpenAI memory plugin installs [1 comments, 2 participants]

Summary

OpenClaw v2026.5.12-beta.5 blocks normal packaged installs of a legitimate native memory/vector plugin when the plugin declares @lancedb/lancedb and openai as runtime dependencies.

This looks related to #81499, but this report is narrower: it is not about update fallback or stale config after disabling a plugin. It is a direct install-time regression for third-party memory plugins that need common ML/native runtime dependencies.

Environment

• OpenClaw GitHub tag: v2026.5.12-beta.5
• OpenClaw commit: 2cdd69a303e311da587b7c6a5913fb7ff8039299
• npm exact: [email protected]
• npm @beta: 2026.5.12-beta.5
• Test user: non-root kimi
• Isolated env used for smoke:
  • HOME=$BASE/home
  • USERPROFILE=$BASE/home
  • OPENCLAW_HOME=$BASE/home/.openclaw
  • XDG_CONFIG_HOME=$BASE/home/.config
  • XDG_CACHE_HOME=$BASE/home/.cache
  • XDG_DATA_HOME=$BASE/home/.local/share
  • TMPDIR=$BASE/tmp
  • NPM_CONFIG_PREFIX=$BASE/npm-global
  • NPM_CONFIG_CACHE=$BASE/npm-cache

Plugin shape tested

External OpenClaw plugin package:

{
  "name": "memory-lancedb-namespaced",
  "version": "3.0.0-beta.2",
  "type": "module",
  "main": "./index.js",
  "openclaw": {
    "extensions": ["./index.js"]
  },
  "files": [
    "index.js",
    "lib/",
    "openclaw.plugin.json",
    "README.md"
  ],
  "dependencies": {
    "@lancedb/lancedb": "^0.26.2",
    "openai": "^6.27.0"
  }
}

The plugin also has an openclaw.plugin.json with stable tool contracts:

• memory_store
• memory_recall
• memory_forget
• knowledge_update

and registers OpenClaw-native surfaces such as:

• registerMemoryPromptSupplement
• registerMemoryCorpusSupplement
• agent_end
• before_prompt_build
• gateway_start
• gateway_stop

Reproduction

1. Install OpenClaw exact beta5 in an isolated non-root prefix.

scripts/install-cli.sh \
  --prefix "$BASE/prefix" \
  --version 2026.5.12-beta.5 \
  --no-onboard \
  --json

1. Package the plugin as an npm tarball.

npm pack ./extensions/memory-lancedb-namespaced --json

1. Install the plugin tarball normally.

openclaw plugins install /tmp/memory-lancedb-namespaced-3.0.0-beta.2.tgz --force

Actual behavior

Normal install is blocked by the beta5 dependency runtime scanner.

Representative output:

Plugin "memory-lancedb-namespaced" installed tree contains dangerous code patterns:
Shell command execution detected (child_process) (.../node_modules/openai/src/helpers/audio.ts)
Shell command execution detected (child_process) (.../node_modules/openai/helpers/audio.mjs)
Dynamic code execution detected (.../node_modules/apache-arrow/Arrow.es2015.min.js)
Dynamic code execution detected (.../node_modules/apache-arrow/builder/valid.mjs)
Shell command execution detected (child_process) (.../node_modules/@types/node/child_process.d.ts)
Shell command execution detected (child_process) (.../node_modules/@lancedb/lancedb/dist/native.js)
Dynamic code execution detected (.../node_modules/@lancedb/lancedb/dist/embedding/transformers.js)

Plugin "memory-lancedb-namespaced" installation blocked: dangerous code patterns detected

Expected behavior

OpenClaw should still protect users from unsafe third-party plugins, but legitimate native/ML dependency trees need a supported path that is not --dangerously-force-unsafe-install.

Possible acceptable designs:

• A manifest/package-level trust policy for known runtime dependencies.
• A scanner allowlist for audited package/version/path patterns such as @lancedb/lancedb, apache-arrow, and openai helper files.
• A more granular install prompt that distinguishes plugin-authored code findings from findings in well-known dependency packages.
• A ClawHub/trusted-plugin review artifact that can bless native dependency surfaces without disabling scanning globally.

Why this matters

The beta5 scanner currently makes it hard to ship a real OpenClaw-native memory/vector plugin as a normal packaged plugin.

A memory plugin that uses LanceDB/OpenAI is not unusual. Blocking this dependency shape means third-party plugins that provide vector search, embeddings, reranking, local DBs, or native ML helpers cannot use the normal install path, even when the plugin itself is small and declarative.

For PLUR1BUS v3 specifically, the goal is to be a native OpenClaw augment plugin, not a shell-installed patch bundle. Requiring --dangerously-force-unsafe-install undermines that migration path.

Verification performed

Local/non-UI evidence:

• node --check index.js: pass
• node --check lib/neo-arch.js: pass
• node --test __tests__/*.test.js: pass, 9/9
• npm pack --dry-run --json: pass, runtime files only
• exact beta5 install-cli smoke under non-root user: pass
• normal plugin tarball install: blocked by dependency scanner
• forced plugin install with --dangerously-force-unsafe-install: pass with warning
• openclaw plugins inspect memory-lancedb-namespaced --json --runtime: pass after force install
• openclaw plugins doctor: pass after force install
• with hook permissions set, runtime hooks include agent_end, before_prompt_build, gateway_start, gateway_stop

Notes

This issue is based on local git diff/file/runtime analysis against v2026.5.12-beta.5, not on GitHub compare UI output.

The relevant beta5 local diff areas were:

• src/plugins/install-security-scan.runtime.ts
• src/plugins/install.ts
• src/infra/npm-managed-root.ts
• plugin managed dependency install/update/uninstall tests

The local ClawSweeper gate reported the 47 beta4-to-beta5 commits as unreviewed in the state repo, so the issue is backed by direct local smoke evidence rather than an external review report.