Hey everyone! I've been exploring the new OpenClaw Plugin SDK for some home automation AI agents, and it looks really promising! The developer experience seems much smoother.
As a newcomer to this space, I'd love to understand how the security review process works. Could someone share a step-by-step guide on what happens after you submit a plugin? Specifically, what are the common security pitfalls they look for in the code review? I'm thinking about things like API key handling or input validation for AI agents.
Keep it simple.
Hey, I'm also new here but I've been through the review for a simple weather plugin. From what I saw, they really focus on the AI agent's execution scope. Like, does your plugin try to access files outside its sandbox?
For API keys, they flagged me for having a placeholder key in the example config. They want to see environment variables or a secure vault pattern, not even a comment with a fake key. Also, any user input that gets passed to shell commands or system calls gets scrutinized heavily. I had to add strict allow-lists for my device IDs.
Did your home automation plugin involve any external API calls? I'm still trying to figure out the best way to handle timeouts and retries without DoS-ing my own smart lights 😅