From bd796d1c85c7dec0dcb89ed11502e4271ded1314 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 25 Apr 2026 22:59:00 +0100 Subject: [PATCH] docs(plugins): clarify local dependency installs --- docs/cli/hooks.md | 3 ++- docs/gateway/security/index.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/cli/hooks.md b/docs/cli/hooks.md index 78c75edc723..77592c664fb 100644 --- a/docs/cli/hooks.md +++ b/docs/cli/hooks.md @@ -209,7 +209,8 @@ deprecation warning and forwards to `openclaw plugins install`. Npm specs are **registry-only** (package name + optional **exact version** or **dist-tag**). Git/URL/file specs and semver ranges are rejected. Dependency -installs run with `--ignore-scripts` for safety. +installs run project-local with `--ignore-scripts` for safety, even when your +shell has global npm install settings. Bare specs and `@latest` stay on the stable track. If npm resolves either of those to a prerelease, OpenClaw stops and asks you to opt in explicitly with a diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 9a8e07813e3..74b8eb3a337 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -504,7 +504,7 @@ Plugins run **in-process** with the Gateway. Treat them as trusted code: - If you install or update plugins (`openclaw plugins install `, `openclaw plugins update `), treat it like running untrusted code: - The install path is the per-plugin directory under the active plugin install root. - OpenClaw runs a built-in dangerous-code scan before install/update. `critical` findings block by default. - - OpenClaw uses `npm pack` and then runs `npm install --omit=dev` in that directory (npm lifecycle scripts can execute code during install). + - OpenClaw uses `npm pack`, then runs a project-local `npm install --omit=dev --ignore-scripts` in that directory. Inherited global npm install settings are ignored so dependencies stay under the plugin install path. - Prefer pinned, exact versions (`@scope/pkg@1.2.3`), and inspect the unpacked code on disk before enabling. - `--dangerously-force-unsafe-install` is break-glass only for built-in scan false positives on plugin install/update flows. It does not bypass plugin `before_install` hook policy blocks and does not bypass scan failures. - Gateway-backed skill dependency installs follow the same dangerous/suspicious split: built-in `critical` findings block unless the caller explicitly sets `dangerouslyForceUnsafeInstall`, while suspicious findings still warn only. `openclaw skills install` remains the separate ClawHub skill download/install flow.