@riddledc/openclaw-riddledc 0.3.4 → 0.4.0

package/CHECKSUMS.txt

@@ -1,4 +1,4 @@
-3185b3314096550b3b62561d979cedbf819a24a4fea6d001ace2a95c9c6e7f18  dist/index.cjs
+008b101829a770aab04361a6432304b6fe7edf4173fed1185339d6f53969b418  dist/index.cjs
 94ce04f0e2d84bf64dd68f0500dfdd2f951287a3deccec87f197261961927f6f  dist/index.d.cts
 94ce04f0e2d84bf64dd68f0500dfdd2f951287a3deccec87f197261961927f6f  dist/index.d.ts
-599dba9020d9825d7809b8f0ae6bceb6ccdfefc9a9be247299d13f1b73d84398  dist/index.js
+52e59ee4fd2c37fd503c9e52add79ef76e5959fdef1d0c5e191b132eba4027db  dist/index.js

package/README.md

@@ -1,5 +1,9 @@
 # @riddledc/openclaw-riddledc
 
+[![npm version](https://img.shields.io/npm/v/@riddledc/openclaw-riddledc.svg)](https://www.npmjs.com/package/@riddledc/openclaw-riddledc)
+[![Build Status](https://github.com/riddledc/integrations/actions/workflows/release.yml/badge.svg)](https://github.com/riddledc/integrations/actions)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
 OpenClaw plugin for [Riddle](https://riddledc.com) - hosted browser automation API. Take screenshots, run Playwright scripts, and automate web interactions from your OpenClaw agent.
 
 ## Install
@@ -57,11 +61,21 @@ Example response:
 
 ## Security
 
-- Never hardcode API keys in config files
-- Use environment variables or a secret manager
-- The plugin only communicates with `api.riddledc.com` over HTTPS
-- Hardcoded domain allowlist prevents credential exfiltration
-- See [SECURITY.md](./SECURITY.md) for full threat model and data flow
+- **Capability manifest**: See `openclaw.plugin.json` for declared permissions
+- **Network**: Only communicates with `api.riddledc.com` (hardcoded allowlist)
+- **Context**: No access to conversation history, other tools, or user profile
+- **Filesystem**: Only writes to `~/.openclaw/workspace/riddle/`
+- **Secrets**: Only requires `RIDDLE_API_KEY` (use env var, not config file)
+
+For defense in depth, run your agent with sandboxing:
+
+```yaml
+agents:
+  defaults:
+    sandbox: true
+```
+
+See [SECURITY.md](./SECURITY.md) for full threat model, data flow diagram, and capability details.
 
 ## Reproducible Builds
 

package/SECURITY.md

@@ -1,5 +1,22 @@
 # Security Model
 
+## Plugin vs Skill: What This Is
+
+This is a **plugin** (code), not a **skill** (prompt). Understanding the difference matters for trust:
+
+| Type | What it is | Trust implications |
+|------|------------|-------------------|
+| **Plugin** | Node.js code that runs in-process with OpenClaw | Has full process privileges; can access env vars, filesystem, network |
+| **Skill** | Markdown/prompt instructions that guide the LLM | No direct system access; influences agent via tool invocation |
+
+**This package is a plugin.** It runs as code inside the OpenClaw process. That means:
+
+- It *could* read any env var, file, or make any network call (plugins are trusted code)
+- We *choose* to constrain ourselves via hardcoded allowlists and explicit capability limits
+- You should audit the source or trust the npm provenance
+
+**This plugin does NOT bundle any skills.** It only provides tools. No prompt instructions are injected into your agent's context.
+
 ## Data Flow
 
 ```
@@ -33,6 +50,29 @@
 - Make network requests to arbitrary URLs from your machine
 - Run code locally (all execution happens on Riddle's servers)
 
+## Agent Context Access
+
+This plugin has **no access** to:
+
+| Context | Access |
+|---------|--------|
+| Conversation history | ❌ None |
+| Other tools' outputs | ❌ None |
+| User profile / preferences | ❌ None |
+| Other plugins' data | ❌ None |
+| System environment (except RIDDLE_API_KEY) | ❌ None |
+
+The plugin only sees data explicitly passed to its tools by the agent. It does not hook into message events, read logs, or access the agent's memory/context.
+
+## Capability Manifest
+
+This plugin declares its capabilities in `openclaw.plugin.json`. Key constraints:
+
+- **Network egress**: Only `api.riddledc.com` (hardcoded, enforced at runtime)
+- **Filesystem**: Write only to `~/.openclaw/workspace/riddle/`
+- **Tools**: Provides 5 tools; invokes no other agent tools
+- **Secrets**: Only `RIDDLE_API_KEY` required
+
 ## Security Controls
 
 ### 1. Hardcoded Domain Allowlist
@@ -67,9 +107,24 @@ Only requires one secret: `RIDDLE_API_KEY`. No OAuth, no cookies, no session sta
 |--------|------------|
 | API key exfiltration to attacker server | Hardcoded domain check blocks all non-riddledc.com requests |
 | Malicious config injection | Domain check runs at request time, not config time |
-| Supply chain attack (npm) | Use npm provenance to verify package origin |
-| Build tampering | Checksums + reproducible builds |
+| Supply chain attack (npm) | npm provenance + checksums + reproducible builds |
+| Build tampering | CHECKSUMS.txt with SHA256 hashes |
 | Local file access | Plugin only writes to designated workspace subdirectory |
+| Context/conversation leakage | Plugin has no access to agent context (see above) |
+| Prompt injection via tool output | Screenshots saved as file refs, not inline content |
+
+## Recommended: Run in Sandbox
+
+For defense in depth, consider running your agent with sandboxing enabled:
+
+```yaml
+# In your OpenClaw config
+agents:
+  defaults:
+    sandbox: true
+```
+
+This runs tools like `exec` in a Docker container, limiting blast radius if any plugin or skill misbehaves. While this plugin doesn't require sandboxing (it only calls a remote API), sandboxing protects against other plugins or prompt injection attacks.
 
 ## Reporting Security Issues
 

package/dist/index.cjs

@@ -221,10 +221,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_screenshot",
-      description: 'Riddle: take a screenshot of a single URL. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: take a screenshot of a single URL. Supports authenticated screenshots via cookies/localStorage. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: import_typebox.Type.Object({
         url: import_typebox.Type.String(),
         timeout_sec: import_typebox.Type.Optional(import_typebox.Type.Number()),
+        cookies: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.Object({
+          name: import_typebox.Type.String(),
+          value: import_typebox.Type.String(),
+          domain: import_typebox.Type.String(),
+          path: import_typebox.Type.Optional(import_typebox.Type.String()),
+          secure: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
+          httpOnly: import_typebox.Type.Optional(import_typebox.Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "HTTP headers to send with requests" })),
         options: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any())),
         include: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
         harInline: import_typebox.Type.Optional(import_typebox.Type.Boolean())
@@ -233,7 +243,11 @@ function register(api) {
         if (!params.url || typeof params.url !== "string") throw new Error("url must be a string");
         const payload = { url: params.url };
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console"] });
@@ -245,10 +259,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_screenshots",
-      description: 'Riddle: take screenshots for multiple URLs in one job. Returns screenshots + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: take screenshots for multiple URLs in one job. Supports authenticated sessions via cookies/localStorage (shared across all URLs). Returns screenshots + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: import_typebox.Type.Object({
         urls: import_typebox.Type.Array(import_typebox.Type.String()),
         timeout_sec: import_typebox.Type.Optional(import_typebox.Type.Number()),
+        cookies: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.Object({
+          name: import_typebox.Type.String(),
+          value: import_typebox.Type.String(),
+          domain: import_typebox.Type.String(),
+          path: import_typebox.Type.Optional(import_typebox.Type.String()),
+          secure: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
+          httpOnly: import_typebox.Type.Optional(import_typebox.Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "HTTP headers to send with requests" })),
         options: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any())),
         include: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
         harInline: import_typebox.Type.Optional(import_typebox.Type.Boolean())
@@ -259,7 +283,11 @@ function register(api) {
         }
         const payload = { urls: params.urls };
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console"] });
@@ -271,10 +299,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_steps",
-      description: 'Riddle: run a workflow in steps mode (goto/click/fill/etc.). Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: run a workflow in steps mode (goto/click/fill/etc.). Supports authenticated sessions via cookies/localStorage. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: import_typebox.Type.Object({
         steps: import_typebox.Type.Array(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any())),
         timeout_sec: import_typebox.Type.Optional(import_typebox.Type.Number()),
+        cookies: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.Object({
+          name: import_typebox.Type.String(),
+          value: import_typebox.Type.String(),
+          domain: import_typebox.Type.String(),
+          path: import_typebox.Type.Optional(import_typebox.Type.String()),
+          secure: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
+          httpOnly: import_typebox.Type.Optional(import_typebox.Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "HTTP headers to send with requests" })),
         options: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any())),
         include: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
         harInline: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
@@ -285,7 +323,11 @@ function register(api) {
         const payload = { steps: params.steps };
         if (typeof params.sync === "boolean") payload.sync = params.sync;
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console", "result"] });
@@ -297,10 +339,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_script",
-      description: 'Riddle: run full Playwright code (script mode). Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: run full Playwright code (script mode). Supports authenticated sessions via cookies/localStorage. In scripts, use `await injectLocalStorage()` after navigating to the origin to apply localStorage values. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: import_typebox.Type.Object({
         script: import_typebox.Type.String(),
         timeout_sec: import_typebox.Type.Optional(import_typebox.Type.Number()),
+        cookies: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.Object({
+          name: import_typebox.Type.String(),
+          value: import_typebox.Type.String(),
+          domain: import_typebox.Type.String(),
+          path: import_typebox.Type.Optional(import_typebox.Type.String()),
+          secure: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
+          httpOnly: import_typebox.Type.Optional(import_typebox.Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "localStorage key-value pairs; use injectLocalStorage() in script after goto to apply" })),
+        headers: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.String(), { description: "HTTP headers to send with requests" })),
         options: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any())),
         include: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
         harInline: import_typebox.Type.Optional(import_typebox.Type.Boolean()),
@@ -311,7 +363,11 @@ function register(api) {
         const payload = { script: params.script };
         if (typeof params.sync === "boolean") payload.sync = params.sync;
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console", "result"] });

package/dist/index.js

@@ -197,10 +197,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_screenshot",
-      description: 'Riddle: take a screenshot of a single URL. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: take a screenshot of a single URL. Supports authenticated screenshots via cookies/localStorage. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: Type.Object({
         url: Type.String(),
         timeout_sec: Type.Optional(Type.Number()),
+        cookies: Type.Optional(Type.Array(Type.Object({
+          name: Type.String(),
+          value: Type.String(),
+          domain: Type.String(),
+          path: Type.Optional(Type.String()),
+          secure: Type.Optional(Type.Boolean()),
+          httpOnly: Type.Optional(Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "HTTP headers to send with requests" })),
         options: Type.Optional(Type.Record(Type.String(), Type.Any())),
         include: Type.Optional(Type.Array(Type.String())),
         harInline: Type.Optional(Type.Boolean())
@@ -209,7 +219,11 @@ function register(api) {
         if (!params.url || typeof params.url !== "string") throw new Error("url must be a string");
         const payload = { url: params.url };
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console"] });
@@ -221,10 +235,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_screenshots",
-      description: 'Riddle: take screenshots for multiple URLs in one job. Returns screenshots + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: take screenshots for multiple URLs in one job. Supports authenticated sessions via cookies/localStorage (shared across all URLs). Returns screenshots + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: Type.Object({
         urls: Type.Array(Type.String()),
         timeout_sec: Type.Optional(Type.Number()),
+        cookies: Type.Optional(Type.Array(Type.Object({
+          name: Type.String(),
+          value: Type.String(),
+          domain: Type.String(),
+          path: Type.Optional(Type.String()),
+          secure: Type.Optional(Type.Boolean()),
+          httpOnly: Type.Optional(Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "HTTP headers to send with requests" })),
         options: Type.Optional(Type.Record(Type.String(), Type.Any())),
         include: Type.Optional(Type.Array(Type.String())),
         harInline: Type.Optional(Type.Boolean())
@@ -235,7 +259,11 @@ function register(api) {
         }
         const payload = { urls: params.urls };
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console"] });
@@ -247,10 +275,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_steps",
-      description: 'Riddle: run a workflow in steps mode (goto/click/fill/etc.). Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: run a workflow in steps mode (goto/click/fill/etc.). Supports authenticated sessions via cookies/localStorage. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: Type.Object({
         steps: Type.Array(Type.Record(Type.String(), Type.Any())),
         timeout_sec: Type.Optional(Type.Number()),
+        cookies: Type.Optional(Type.Array(Type.Object({
+          name: Type.String(),
+          value: Type.String(),
+          domain: Type.String(),
+          path: Type.Optional(Type.String()),
+          secure: Type.Optional(Type.Boolean()),
+          httpOnly: Type.Optional(Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "localStorage key-value pairs to inject (e.g., JWT tokens)" })),
+        headers: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "HTTP headers to send with requests" })),
         options: Type.Optional(Type.Record(Type.String(), Type.Any())),
         include: Type.Optional(Type.Array(Type.String())),
         harInline: Type.Optional(Type.Boolean()),
@@ -261,7 +299,11 @@ function register(api) {
         const payload = { steps: params.steps };
         if (typeof params.sync === "boolean") payload.sync = params.sync;
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console", "result"] });
@@ -273,10 +315,20 @@ function register(api) {
   api.registerTool(
     {
       name: "riddle_script",
-      description: 'Riddle: run full Playwright code (script mode). Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
+      description: 'Riddle: run full Playwright code (script mode). Supports authenticated sessions via cookies/localStorage. In scripts, use `await injectLocalStorage()` after navigating to the origin to apply localStorage values. Returns screenshot + console by default; pass include:["har"] to opt in to HAR capture.',
       parameters: Type.Object({
         script: Type.String(),
         timeout_sec: Type.Optional(Type.Number()),
+        cookies: Type.Optional(Type.Array(Type.Object({
+          name: Type.String(),
+          value: Type.String(),
+          domain: Type.String(),
+          path: Type.Optional(Type.String()),
+          secure: Type.Optional(Type.Boolean()),
+          httpOnly: Type.Optional(Type.Boolean())
+        }), { description: "Cookies to inject for authenticated sessions" })),
+        localStorage: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "localStorage key-value pairs; use injectLocalStorage() in script after goto to apply" })),
+        headers: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "HTTP headers to send with requests" })),
         options: Type.Optional(Type.Record(Type.String(), Type.Any())),
         include: Type.Optional(Type.Array(Type.String())),
         harInline: Type.Optional(Type.Boolean()),
@@ -287,7 +339,11 @@ function register(api) {
         const payload = { script: params.script };
         if (typeof params.sync === "boolean") payload.sync = params.sync;
         if (params.timeout_sec) payload.timeout_sec = params.timeout_sec;
-        if (params.options) payload.options = params.options;
+        const opts = { ...params.options || {} };
+        if (params.cookies) opts.cookies = params.cookies;
+        if (params.localStorage) opts.localStorage = params.localStorage;
+        if (params.headers) opts.headers = params.headers;
+        if (Object.keys(opts).length > 0) payload.options = opts;
         if (params.include) payload.include = params.include;
         if (params.harInline) payload.harInline = params.harInline;
         const result = await runWithDefaults(api, payload, { include: ["screenshot", "console", "result"] });

package/openclaw.plugin.json

@@ -2,8 +2,49 @@
   "id": "openclaw-riddledc",
   "name": "Riddle",
   "description": "Riddle (riddledc.com) hosted browser API tools for OpenClaw agents.",
-  "version": "0.3.4",
-  "notes": "0.3.1: Screenshots now saved to workspace files instead of inline base64 to prevent context bloat.",
+  "version": "0.4.0",
+  "notes": "0.3.4: Added capability manifest, npm provenance, checksums, SECURITY.md.",
+  "type": "plugin",
+  "bundledSkills": [],
+  "capabilities": {
+    "network": {
+      "egress": [
+        "api.riddledc.com"
+      ],
+      "enforced": true,
+      "note": "Hardcoded allowlist in assertAllowedBaseUrl() - cannot be overridden by config"
+    },
+    "filesystem": {
+      "write": [
+        "~/.openclaw/workspace/riddle/"
+      ],
+      "read": []
+    },
+    "agentContext": {
+      "conversationHistory": false,
+      "otherToolOutputs": false,
+      "userProfile": false,
+      "note": "Plugin only sees data explicitly passed to its tools"
+    },
+    "tools": {
+      "provides": [
+        "riddle_screenshot",
+        "riddle_screenshots",
+        "riddle_steps",
+        "riddle_script",
+        "riddle_run"
+      ],
+      "invokes": [],
+      "note": "Provides tools for agent use; does not invoke other agent tools"
+    },
+    "secrets": {
+      "required": [
+        "RIDDLE_API_KEY"
+      ],
+      "optional": [],
+      "note": "Key only sent to api.riddledc.com (enforced)"
+    }
+  },
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@riddledc/openclaw-riddledc",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "description": "OpenClaw integration package for RiddleDC (no secrets).",
   "license": "MIT",
   "author": "RiddleDC",
@@ -24,7 +24,8 @@
     "dist",
     "openclaw.plugin.json",
     "CHECKSUMS.txt",
-    "SECURITY.md"
+    "SECURITY.md",
+    "LICENSE"
   ],
   "sideEffects": false,
   "engines": {