Supply-chain choices · Pre-install pinning · Skill Audit · security audit gates · Six-step runbook
You are about to run openclaw plugins install or enable a new community Skill on a production Gateway, but you worry about malicious packages, filesystem scopes that are too wide, or a gray state where everything runs yet nothing is safe. After April 2026, OpenClaw draws a clearer line between Skill Audit and openclaw security audit, and v2026.4.22+ applies a fail-closed update policy when pinned plugin integrity drifts. This article is for ops and tech leads on VPS or remote Mac nodes: a bundled / npm plugin / community Skill decision matrix, pre-install pinning plus a six-step launch runbook, then audit gate tables and a symptom map to close the loop. Pair it with the production hardening checklist and the v2026.4 Docker guide.
OpenClaw splits channel and capability extensions into two layers: plugins load through manifests on the Gateway, usually via openclaw plugins install; Skills are tool packs the Agent can call, often touching the workspace, shell, or network. Many 2026 incidents are not bad plugin code but shipping community Skills to production like documentation samples, or treating npm @latest the same as audited bundled builds.
| Source | Typical use | Exposure | Rollback | Production stance |
|---|---|---|---|---|
| Bundled official plugins | Telegram, Discord, and other first-tier channels | Audited with core releases | Follows openclaw update | Default first choice; track the core version line |
npm plugins install | WeChat, Lark, and other scoped packages | Third-party publish chain plus local state dirs | Requires pinned versions and state volume backups | Staging first: doctor + audit |
| Community Skill catalogs | Automation scripts, browser control, batch files | Highest: filesystem / exec / network | Hard—sessions may already be written | Skill Audit first, then low-traffic Agents |
Write the change ticket: list new package names, exact versions, whether plugins.entries.*.enabled changes, and every new Skill.
Check bundled first: if the official channel already covers the capability, prefer bundled to avoid manifest conflicts.
Isolate staging: replay the full install on a staging Gateway; never trial @latest on production.
Permission budget: define allowed path prefixes and whether exec is permitted; over-budget Skills stay disabled.
Decouple channel debugging: for plugin issues start with plugins list; do not change model routing in the same ticket.
On a production Gateway, "loads" does not mean "should enable"; Skill Audit answers the second question.
Before any install, fix three citeable parameters on the change ticket. From 2026.4.22 onward, if a pinned npm plugin or hook package shows integrity drift, openclaw update will fail closed and print the abort reason in openclaw update --json—treat that as a security feature, not a broken updater.
>=2026.3.22 (per package peer deps); run openclaw --version before install.openclaw plugins install "@scope/pkg@1.2.3"; never bare @latest on production.gateway restart; within 10 minutes after restart capture gateway status and plugins list.openclaw --version openclaw plugins list openclaw doctor --non-interactive npm view @scope/your-plugin version openclaw update --json
Warning: errors about missing TypeScript compile output (requires compiled runtime output) mean the package points at source entry; switch to a dist build or set enabled false temporarily—do not run security audit with a half-loaded manifest.
The Skill Audit emphasis in v2026.4 means identifying workspace, shell, or network requests that are too broad before the Agent can invoke a Skill. Run the runbook below together with Dashboard isolation guidance in the Docker guide.
Inventory Skills: name every Skill to enable and its source (official catalog / private git / third-party zip); unnamed Skills do not enter production.
Read manifest capabilities: tag filesystem, exec, browser, and network; any "full access" class goes to staging only.
Run Skill Audit: complete permission self-check via the official Dashboard or CLI path (same prompts as the install wizard Audit step).
Minimal Agent trial: read-only workspace plus single-turn chat; no inbound channels yet.
Enable channels last: connect Telegram, WeChat, or other inbound traffic only after channel allowlists and pairing are ready.
Leave an audit trail: record Audit output, Skill version, and Gateway version on the ticket for rollback within 30 days.
| Capability flag | Risk | Production default |
|---|---|---|
| Full workspace read/write | Leaks API keys, SSH private keys | Deny; use path-prefix sandboxes |
| exec / shell | Supply-chain RCE | Staging only; production needs an approval list |
| Browser automation | Session hijack, internal network probes | Pair with headless Skill lists or Relay isolation |
| Outbound webhooks | Unauthenticated inbound | IP allowlists plus idempotency keys; see webhook runbooks |
openclaw security audit scans Gateway configuration and exposure—open DM policies, dangerous debug flags, tool permissions, plugin/Skill supply-chain hints—and complements Skill Audit. Before launch, use a fixed order: doctor → security audit --deep → (optional) channels status --probe.
openclaw doctor --non-interactive openclaw security audit --deep openclaw security audit --json openclaw channels status --probe
| Tool | Answers | Auto-fix |
|---|---|---|
| openclaw doctor | Config migration, service health, channel warnings, pairing issues | --fix is bounded; session archive needs confirmation |
| security audit | Exposure, critical policies, dangerous flags | --fix only narrows items (allowlists, log redaction) |
| Skill Audit | Whether one Skill asks for too much | Human enable/disable decision |
Gateway tool layers from 2026.4.14+ block models from using config.patch to flip audit-flagged dangerous switches (e.g. dangerouslyDisableDeviceAuth). If audit reports config.insecure_or_dangerous_flags, treat it as a release blocker, not a warning to ignore. Deep scans can add live Gateway probes—schedule those in a maintenance window.
Note: security audit --fix will not uninstall a malicious Skill; uninstall and version rollback still go through pinned plugins install plus state volume recovery.
On a VPS, a common failure is host CLI versus in-container Gateway state directories diverging, so devices approve or plugins list look falsely empty. Remote Mac nodes suit team Gateways that need long-lived model caches and plugin directories.
| Symptom | Check first | Typical action |
|---|---|---|
| plugins list missing new package | Restart done? Volume mounts? | gateway restart; install inside Compose exec |
| audit critical blocks launch | Dangerous flags, open DMs | Disable debug; tighten allowlists |
| update integrity drift | --json drift fields | Reinstall pinned version; do not skip verification |
| doctor vs plugin version clash | Peer dependency table | Upgrade core or downgrade plugin tag; never one side only |
| Disk growth after Skill enable | Session / browser cache | Follow disk watermark runbooks |
Keep the control plane on 127.0.0.1:18789 and use ssh -L 18789:127.0.0.1:18789 user@vps for Control UI Audit work instead of exposing the admin port publicly. For log triage, still use the channel / Gateway / model three-part split in the doctor troubleshooting checklist.
If your team needs auditable plugin changes, predictable SLA, and 24/7 Gateway uptime, repeated install/rollback cycles on a laptop cost more than they save. For production environments that run iOS CI/CD alongside persistent OpenClaw Agents, VpsMesh Mac Mini cloud rental is usually the better fit—dedicated nodes with predictable disk and bandwidth make it easier to pin plugin directories and state volumes. See rental pricing and the Help Center for remote access patterns.
Skill Audit reviews what a single Skill asks to do; security audit reviews whole-Gateway policy and exposure. Run both before launch, and run doctor first. See the deployment and security audit guide for the full sequence.
Start with openclaw plugins list and openclaw doctor; confirm manifest and runtime artifacts. On Docker, verify volume mounts. Do not change model tags in the same ticket—see the runtime troubleshooting guide.
Read drift fields with openclaw update --json, reinstall the pinned version from a trusted registry, then run security audit --deep. For node sizing, see rental pricing and the Help Center.