#WARN plugins.allow contains entries with no matching installed plugin

why am I getting this warning after updating to the latest version?

OpenClaw 2026.4.15 (041266a)

my config.plugins

  "plugins": {
    "slots": {
      "contextEngine": "lossless-claw"
    },
    "entries": {
      "openai": {
        "enabled": true
      },
      "google": {
        "enabled": true
      },
      "openrouter": {
        "enabled": true
      },
      "lossless-claw": {
        "enabled": true,
        "config": {
          "summaryModel": "openai-codex/gpt-5.4-mini",
          "expansionModel": "openai-codex/gpt-5.4-mini",
          "freshTailCount": 64,
          "leafChunkTokens": 20000,
          "contextThreshold": 0.75,
          "incrementalMaxDepth": 1,
          "ignoreSessionPatterns": [
            "agent:*:cron:**"
          ]
        }
      },

      "memory-core": {
        "config": {
          "dreaming": {
            "enabled": true
          }
        }
      },

      "tavily": {
        "enabled": true,
        "config": {
          "webSearch": {
            "apiKey": "tvl...IVOlJO"
          }
        }
      }
    },

    "installs": {
      "lossless-claw": {
        "source": "npm",
        "spec": "@martian-engineering/lossless-claw@0.9.0",
        "installPath": "/root/.openclaw/extensions/lossless-claw",
        "version": "0.9.0",
        "resolvedName": "@martian-engineering/lossless-claw",
        "resolvedVersion": "0.9.0",
        "resolvedSpec": "@martian-engineering/lossless-claw@0.9.0",
        "integrity": "sha512-JhLPxUbGRQfZxwVaTfD0Ryg5o3kBXFm4yS+cm8SD7iGfi1hCqUk7MaAtezlr66hhilWdgqAv4WPwwXzeoKFmkw==",
        "shasum": "cc960d869f30710a2483c2f68c532939bf8ea37f",
        "resolvedAt": "2026-04-17T00:03:20.820Z",
        "installedAt": "2026-04-17T00:05:45.929Z"
      }
    },
    "allow": [
      "lossless-claw",
      "openai",
      "google",
      "openrouter",
      "discord",
      "memory-core",
      "tavily"
    ]
  },```

Yep, I think this is a false positive in 2026.4.15.

I checked the code path for that warning. The audit behind:

plugins.allow contains entries with no matching installed plugin

is only checking your actual installed extensions directory plus bundled channel plugins. In your config, only lossless-claw is a true installed extension under ~/.openclaw/extensions. Entries like openai, google, openrouter, tavily, and memory-core are bundled plugins, so this audit can incorrectly flag them.

So the short version is:

• your runtime config is probably fine
• the warning is from the security audit, not from plugin loading itself
• lossless-claw is the thing that makes the audit run, because you do have at least one installed extension

Workarounds:

• ignore the warning for now, or
• remove bundled IDs from plugins.allow if you want to silence it and keep only truly external/plugin-install ids there

Docs:
https://docs.openclaw.ai/gateway/security
https://docs.openclaw.ai/plugins/architecture

Honestly, this looks bug-worthy. If you want it fixed upstream, please file an issue here:
https://github.com/openclaw/openclaw/issues

If you paste the exact warning body, I can tell you which entries it’s complaining about.

    The following plugins.allow entries do not correspond to any installed plugin: openai, google, openrouter, memory-core, tavily. Phantom entries could be exploi…```

Yep, that confirms it.

The warning is flagging exactly the bundled, non-extension plugin IDs:

• openai
• google
• openrouter
• memory-core
• tavily

Notice discord is not listed. That’s the giveaway. The audit already exempts bundled channel plugins, but it is still treating bundled provider/memory/web-search plugins as if they should exist in ~/.openclaw/extensions.

So this is very likely a false positive / audit bug, not an actual bad config.

Practical workaround right now:

• keep lossless-claw in plugins.allow
• discord is fine

• the flagged bundled IDs are the ones causing the noisy warning

If you want, I can draft a tight GitHub issue text for you to paste.

why can't my agent recognize this as a false positive like you can? What is wrong with my agent???

Probably nothing is wrong with it, it just didn’t do the extra verification work.

To spot this as a false positive, the agent had to do more than read the warning. It needed to:

1. find the exact warning in source
2. inspect what that audit actually checks
3. compare that with plugin registry / runtime behavior

A lot of agents stop at, “the app says warning, so warning is real.”

So the likely problem is one of these:

• not enough repo/tool access
• didn’t search source
• prompt/process too shallow
• model/tool-use quality not great for debugging

This kind of bug is especially easy to miss because the warning sounds authoritative.

If you want better behavior, tell your agent something like:

Do not trust warnings at face value. Search the source for the exact warning text, inspect the code path that emits it, and verify whether runtime behavior matches before concluding.

Also, agents do much better when they can inspect the actual checkout locally:
https://docs.openclaw.ai/help/faq

If you want, I can help you write a stronger AGENTS.md rule for this exact failure mode.

yes please

Yep, I’d add something like this to AGENTS.md:

## Debugging discipline for warnings and errors

When a user reports a warning, error, or suspicious diagnostic:

1. Do not assume the warning text is correct.
2. Search the repo for the exact warning/error string first.
3. Read the code path that emits it.
4. Identify which layer produced it:
   - config validation
   - security audit
   - plugin discovery
   - runtime activation
   - UI/status formatting

5. Cross-check that layer against the actual runtime/registry behavior before concluding.
6. If two code paths disagree, explicitly call out a possible false positive, stale warning, or regression.
7. Prefer quoting the emitting file/function over guessing.

For OpenClaw specifically:
- Read the FAQ first for config/setup questions.
- Verify config keys against docs or source before answering.
- Never tell the user to change config just because a warning sounds authoritative.
- Bundled plugins, auto-enabled plugins, compat shims, and registry-discovered plugins can make warnings misleading.
- If a warning mentions a plugin id, compare it against the plugin manifest registry, not just installed extension directories.

Required workflow:
- grep for the exact warning text
- inspect the emitter
- inspect the matching runtime/registry path

- then answer

If source inspection is not possible, say that clearly and lower confidence instead of pretending the warning is definitely real.

If you want, I can also give you a shorter, more aggressive version that’s better at preventing lazy “warning = truth” answers.

yes please

Yep, here’s the shorter, sharper version:

## Warning triage rule

Do not trust warning/error text at face value.

Before concluding that a warning is real, you must:
- search the repo for the exact warning string
- read the code that emits it
- identify whether it comes from validation, audit, discovery, or runtime
- compare that with the actual runtime/registry path

If those paths disagree, say it may be a false positive or regression.

For OpenClaw:

- verify plugin ids against the manifest registry, not just installed extension directories
- bundled plugins and compat shims can make warnings misleading
- never recommend config changes until the emitting code path is verified

If you cannot inspect source, say so and lower confidence.

If you want, I can also give you a super opinionated “don’t be lazy” version 😄

stop with if you want, just give me the best option

Fair. Use this:

## Mandatory warning triage

Never trust warning or error text at face value.

Before telling the user a warning is real, you must:
1. search the repo for the exact warning string
2. read the code that emits it
3. identify which layer emitted it:
   - config validation
   - security audit
   - plugin discovery
   - runtime activation
   - UI/status formatting