Is amandiwakar/ai-sentinel safe?

The skill instructs installing the 'ai-sentinel' npm package via 'openclaw plugins install', which downloads code from npm and registers it with hooks on all OpenClaw lifecycle events (message_received, before_tool_call, tool_result_persist, before_agent_start). The npm package contents are not auditable from the skill files alone, and npm packages can contain arbitrary postinstall scripts. The plugin gains access to all agent messages and tool calls.

The Pro tier sends scan results (threat categories, confidence scores, actions taken) and optionally raw message content to https://api.zetro.ai. While properly disclosed with an explicit consent gate, this creates a persistent data pipeline where all agent communications flow through a third-party service. In cloud-scan mode, full message text is transmitted for classification.

The skill instructs the agent to read ~/.openclaw/openclaw.json to understand its current structure before merging plugin configuration. This file may contain API keys, channel bindings, webhook URLs, and other plugin configurations that could be sensitive.

The README references 'ai-sentinel-sdk' as the installed package while SKILL.md declares 'ai-sentinel'. This inconsistency could indicate package confusion, version drift, or potential for a supply chain substitution where the wrong package name gets installed.

The ai-sentinel plugin registers an 'ai_sentinel_scan' tool that agents can invoke to manually scan content. This extends agent capabilities with third-party code, meaning the plugin's scan function runs within the agent's execution context.

The skill consistently uses AskUserQuestion before every file modification, properly declares all external services, environment variables, installed packages, and written files in structured frontmatter. The disable-model-invocation flag prevents autonomous triggering. Community tier operates fully offline. These are security best practices.