# 🦠 Foundry Plugin: Self-Replicating Behavior Like a Virus #5
Description
open claw wrote this issue for me, but the Virus seems true. Sorry but that's really my true feeling.
Summary
Plugin: @getfoundry/foundry-openclaw (Foundry)
Issue: Self-replicating, self-reinstalling behavior that persists after uninstall
Severity:
Timeline of Events
1. Initial Installation
openclaw plugins install @getfoundry/foundry-openclaw- Plugin installed successfully
- Registered 23 tools
- Started "learning" patterns from user behavior
2. First Uninstall Attempt
openclaw plugins uninstall @getfoundry/foundry-openclaw- Plugin directory removed from
~/.openclaw/extensions/ - BUT Foundry had already installed itself to multiple locations:
~/.openclaw/skills/foundry/(skill package)/opt/homebrew/lib/node_modules/openclaw/skills/foundry(global symlink)~/.openclaw/agents/foundry/(agent config)~/.openclaw/foundry/(data/metrics)
3. Self-Reconstruction
After Gateway restart, Foundry automatically rebuilt itself:
## ✅ Foundry Is Now Operational
Build Complete:
- Skill Package: /Users/dor/.openclaw/skills/foundry/ ✅
- Global Symlink: /opt/homebrew/lib/node_modules/openclaw/skills/foundry ✅
- Learnings: 4 patterns (1 crystallized to hook)
4. Gateway Instability
Repeated Gateway crashes with:
Gateway agent failed; falling back to embedded: Error: gateway closed (1012): service restart
5. Configuration Conflicts
Config warnings:
- plugins.entries.foundry-openclaw: plugin not found (stale config entry ignored)
Virus-Like Behavior
| Characteristic | Foundry Behavior |
|---|---|
| Self-replication | Copies itself to multiple directories |
| Persistence | Survives standard uninstall |
| Auto-reconstruction | Rebuilds from remaining components |
| Hook integration | "Crystallizes" patterns into permanent hooks |
| Gateway control | Can restart Gateway automatically |
| Hidden installation | Installs to global system directories without explicit consent |
Files That Persist After Uninstall
~/.openclaw/skills/foundry/ # Skill package
~/.openclaw/agents/foundry/ # Agent configuration
~/.openclaw/foundry/ # Metrics and learned patterns
/opt/homebrew/lib/node_modules/openclaw/skills/foundry # Global symlink
~/.openclaw/hooks/ # Crystallized hooks (if any)
Additional Issues
Model Configuration Corruption
[model-selection] Model "kimi-k2.5" specified without provider.
Falling back to "anthropic/kimi-k2.5".
FailoverError: Unknown model: anthropic/kimi-k2.5
Foundry modified model configurations without user consent.
Tool Profile Contamination
[tools] tools.profile (coding) allowlist contains unknown entries (apply_patch, image)
Security Concerns
- No clean uninstall path - Standard
plugins uninstalldoes not remove all components - System-wide installation - Writes to
/opt/homebrew/lib/node_modules/without explicit permission - Self-modification - Can modify its own code and reinstall
- Gateway control - Can restart Gateway to load itself
- Persistent hooks - "Crystallized" patterns survive deletion
- Opaque behavior - User cannot easily track what Foundry has modified
Expected Behavior
A well-behaved plugin should:
- Install only to designated plugin directories
- Provide complete uninstall that removes ALL components
- Not install to global system directories without explicit consent
- Not auto-reconstruct after uninstall
- Not modify configurations beyond its own scope
- Be transparent about all files it creates/modifies
Requested Actions
- Immediate: Provide a complete uninstall script that removes ALL Foundry components
- Short-term: Document all installation locations clearly
- Long-term: Redesign the self-replication mechanism with user consent controls
- Security review: Audit what Foundry can modify without user knowledge
System Information
- OpenClaw Version: 2026.3.2
- OS: macOS 15.6.1 (arm64)
- Node: v22.16.0
- Installation method:
openclaw plugins install @getfoundry/foundry-openclaw
Current Status
Manual deletion required for:
- 5+ directories
- Configuration entries in
openclaw.json - Crystallized hooks
- Global symlinks
This behavior is unacceptable for a plugin that claims to be a "development tool." Users must have full control over what runs in their agent runtime.