That's really cool.
replyBut wouldn't have been quicker and simpler to add ".bun/" to the pattern of authorized paths the same way it presumably works for ".npm/"?
It didn’t survive OpenClaw upgrades unfortunately, it ended up killing my OpenClaw gateway when I asked it to self upgrade. Bun is marked as an experimental package manager and the recommended way to run OpenClaw gateway is node so I wanted to do it properly. I would have liked Bun to be supported property. I’d raise a PR against the repo but looking at the 4.5K open PRs, it doesn’t give me much hope about it ever getting merged.
replyFair enough, I had not realized the sheer number of outstanding PRs!
replySeems to have been addressed in the article:
reply> Starting around OpenClaw 2026.2.26, the project tightened plugin manifest validation. Manifests outside expected trust boundaries are now rejected as unsafe. On my Jetson, Bun’s global install layout (~/.bun/install/global/node_modules/...) tripped those checks for every single plugin
Apologies if I missed it while skimming your blog post.
replyBut could you estimate the token cost of this? Or were you able to comfortably do this with a subscription plan?
Yes, it skimmed the tmux pane every hour and well within my Gemini free tier.
replyThat is impressive! Thank you for sharing
replyI just mentioned it in the blog post to flag that it doesn't come for free :)
replyWhat do you mean "run OpenClaw natively", you're just running Node?
replyI'm also curious if it's particularly wise to have a web-facing system running on software that hasn't had a security update in 3 years?
Yes sorry about the confusion, I meant “the recommended way” rather than natively
reply