plugin-inspector agent notes

Keep this package publishable and dependency-light. Do not add runtime dependencies unless they remove real complexity.
Default checks must stay offline and credential-free.
Do not publish npm packages without explicit owner approval.
Preserve stable report field names and finding codes; downstream CI and crabpot reports may consume them.
When changing plugin-inspector behavior, CLI/package entrypoints, release metadata, or the npm package version, update crabpot's @openclaw/plugin-inspector pin/docs/smoke path as needed and run the crabpot plugin-inspector smoke before calling the work done.
Prefer public OpenClaw plugin contracts over core internals. If target OpenClaw source parsing is needed, isolate it behind explicit helpers.