fix(security): keep plain audit off plugin runtimes

Keep routine security audit on config/filesystem checks by default, reserving plugin runtime collectors for deep audit paths.\n\nThanks @vincentkoc

src/cli/security-cli.ts

@@ -41,7 +41,10 @@ export function registerSecurityCli(program: Command) {
       () =>
         `\n${theme.heading("Examples:")}\n${formatHelpExamples([
           ["openclaw security audit", "Run a local security audit."],
-          ["openclaw security audit --deep", "Include best-effort live Gateway probe checks."],
+          [
+            "openclaw security audit --deep",
+            "Include best-effort live Gateway probes and plugin-owned security audit collectors.",
+          ],
           ["openclaw security audit --deep --token <token>", "Use explicit token for deep probe."],
           [
             "openclaw security audit --deep --password <password>",
@@ -55,7 +58,7 @@ export function registerSecurityCli(program: Command) {
   security
     .command("audit")
     .description("Audit config + local state for common security foot-guns")
-    .option("--deep", "Attempt live Gateway probe (best-effort)", false)
+    .option("--deep", "Attempt live Gateway probes and plugin-owned collector checks", false)
     .option("--token <token>", "Use explicit gateway token for deep probe auth")
     .option("--password <password>", "Use explicit gateway password for deep probe auth")
     .option("--fix", "Apply safe fixes (tighten defaults + chmod state/config)", false)