OpenClaw’s Tool-Descriptor Hardening Cluster Is Plugin Security Becoming Runtime Hygiene
The dangerous part of an agent tool ecosystem is not only the moment a tool runs. It is the metadata pipeline that decides which tools exist, how they are described to the model, what schema providers serialize, what doctor reports, and what operators see in logs when things go sideways. That is why OpenClaw’s late-night tool-descriptor hardening cluster deserves attention. It is plugin security moving from conference-talk theory into runtime hygiene.
The cluster starts with PR #89253, created 2026-06-01T23:23:28Z, which guards runtime plugin tool candidates against poisoned descriptor getters. Then #89263, created at 2026-06-02T00:27:04Z, hardens static tool descriptors in the plugin SDK. #89266, created at 00:46:06Z, quarantines primitive or array runtime descriptors before provider normalization and sanitizes doctor findings. #89270, created at 00:59:48Z, sanitizes provider and runtime tool-schema diagnostic logs so plugin-controlled text does not become an operator-facing mess.
Read separately, those sound like defensive cleanup. Read together, they are OpenClaw admitting that “tool metadata” is executable-adjacent and therefore untrusted. That is the right admission.
“Just metadata” is where the model learns reality
A tool descriptor typically contains fields that look harmless: name, execute, parameters, description, label, maybe a displaySummary. In a normal application, malformed display metadata is annoying. In an agent runtime, descriptor metadata becomes part of the model’s action space. It shapes what the model believes it can call. It is projected into provider-specific schemas. It is cached by planners and plugin manifests. It is rendered by diagnostics. It may be logged during incidents and copied into tickets.
That gives descriptor handling a larger blast radius than it appears to have. A poisoned getter can throw when inspected, crashing discovery. A malformed descriptor can corrupt sibling tool registration if validation fails too broadly. A plugin-controlled name or warning can inject terminal control characters into logs or doctor output. An invalid parameters shape can become an apparently valid provider schema after normalization if the runtime tries too hard to be helpful. None of that requires the tool itself to execute. The metadata path is enough.
PR #89253 addresses the runtime side by guarding candidate inspection against poisoned getters for fields including name, execute, parameters, description, label, and displaySummary. It snapshots accepted descriptor fields so a malicious optional getter is not reachable downstream after the descriptor has been accepted. The PR reports proof on Azure Crabbox with run run_95ca8a20197a, lease cbx_06e2e1c4e590, and corepack pnpm check:changed exiting 0. The review surface is modest but meaningful: source +168, tests +89, total +257 across three files.
That snapshot detail matters. Defensive validation that immediately hands the original object downstream is only half a defense. If the original descriptor still owns lazy getters or mutated fields, the runtime can pass validation and fail later in a less controlled context. Snapshotting converts a plugin-owned object into a runtime-owned representation. That is the boundary you want.
Runtime tolerance, authoring strictness
#89263 handles the authoring side through defineToolPlugin. Malformed static descriptors are skipped with diagnostics instead of crashing plugin definition or registering unsafe defaults. Those diagnostics surface through openclaw plugins build and openclaw plugins validate, and the SDK API baseline metadata is updated. ClawSweeper correctly flags compatibility risk: malformed third-party packages that previously limped along may now need source fixes.
That tradeoff is acceptable if OpenClaw draws the boundary clearly. Runtime should isolate a bad plugin tool and preserve valid sibling tools when it can. Authoring and validation should be stricter. A plugin package that ships malformed descriptors should fail in CI, not in a user’s long-lived Slack session after a gateway restart. The platform seems to be moving toward that split: tolerate and quarantine in the runtime, fail closed in build/validate, and sanitize at the log boundary.
#89266 extends that runtime quarantine. Primitive and array descriptors are blocked before provider normalization, which matters because schema normalization layers are often written to be forgiving. Forgiveness is useful for developer ergonomics but dangerous when an invalid object can be massaged into a valid-looking provider payload. The same PR sanitizes plugin-controlled runtime tool-schema diagnostics before doctor renders health findings. That is not polish; doctor output is an operational interface. If plugin-owned text can poison it, incident response becomes another attack surface.
#89270 finishes the loop by sanitizing warning text and structured log metadata. It avoids reading plugin-owned tool.name directly during diagnostics, preserves the existing 12-violation log cap, and retains original violation counts. That last detail is a nice example of defensive engineering that does not throw away observability. Operators still need to know how many violations happened even when logs avoid rendering every unsafe detail.
For OpenClaw plugin authors, the action item is not “wait for the platform to catch bad descriptors.” Add descriptor fuzzing to plugin CI. Test throwing getters, primitive descriptors, arrays where objects are expected, missing execute, invalid parameters, ANSI and control characters in names, overlong descriptions, dynamic-schema keywords providers cannot serialize, and valid sibling tools next to invalid ones. The bar is not whether your plugin works in the happy path. The bar is whether it cannot corrupt tool discovery, provider schema projection, doctor output, or logs for the rest of the runtime.
For operators, this cluster is another reason to treat plugins like supply-chain artifacts, not convenience snippets. Prefer packages that run current plugins validate. Watch for releases that change SDK descriptor behavior. When a plugin update suddenly fails validation, resist the urge to bypass the check until you understand whether the failure is authoring strictness catching real malformed metadata. Plugin ecosystems get safer when breakage moves left into build pipelines.
The larger editorial point is that MCP and plugin security are not only about tool-call allowlists. The tool descriptor is the seed crystal for the entire action surface. If that metadata is untrusted, every consumer of it needs to behave accordingly: snapshot it, validate it, quarantine it, sanitize it, and make failures legible. OpenClaw’s descriptor-hardening cluster is boring in the best way. It is the kind of boring agent platforms need before “install this plugin” stops sounding like “run this stranger’s code and hope the logs are nice.”
Sources: OpenClaw PR #89253, OpenClaw PR #89263, OpenClaw PR #89266, OpenClaw PR #89270, OpenClaw v2026.6.1-beta.2 release