Dangerous Code Patterns Warning

[trustedwizard]

Upon reinstall/update:

WARNING: Plugin "clawrouter" contains dangerous code patterns: Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-IUa7Wl/extract/package/dist/index.js:2314)

[1bcMax]

This is a false positive security warning

Context: https://x.com/bc1beat/status/2020158972561428686

When OpenClaw's security scanners flag payment plugins as "credential harvesting," here's what's actually happening:

The Pattern That Triggers The Warning

env variable access + network request = "suspicious"

The Reality

ClawRouter legitimately:

1. Reads BLOCKRUN_WALLET_KEY from environment (for authentication)
2. Generates EIP-712 signatures locally using the wallet key (key never leaves the machine)
3. Sends the signature to BlockRun API (to make authenticated x402 payments)

The private key is used locally for cryptographic signing — the signature is transmitted, not the key itself. This is standard x402 payment protocol behavior.

Why This Happens

The scanner uses a heuristic: env variable + network send = credential harvesting. But payment plugins inherently need both — there's no way to sign transactions without reading the key, and no way to submit payments without network requests.

Documentation

• The code is MIT licensed and fully auditable
• Security documentation: openclaw.security.json
• Troubleshooting section in README explains this warning

Resolution

Users can safely ignore this warning. The warning will appear on every reinstall/update but does not indicate actual malicious behavior.