Back to plugin

Security audit

OpenClaw Tenant Bridge

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, configuration schema, and runtime instructions are coherent with its stated purpose as a tenant-aware shared-memory bridge for OpenClaw; nothing in the package requests unrelated credentials or performs unexpected actions.

This package appears to do what it says: provide a tenant-aware context engine and authenticated HTTP bridge with optional local/Postgres storage and optional S3 artifact storage. Before installing: 1) Limit allowedApps and use strong, unique serviceTokens in your plugin config; 2) If you enable S3, grant the plugin only the minimal S3 permissions needed and point it to trusted endpoints; 3) If using file-backed storage or QMD materialization, configure the storage paths (qmdRelativeDir / file path) to a directory you control and that cannot overwrite sensitive system files; 4) Provide Postgres credentials with least privilege if using a database; 5) Review runtime.ts and storage.ts for your deployment-specific concerns (persistence location, retention, and cleanup policies); and 6) Run the included tests locally to verify behavior in your environment. Overall the package is internally consistent, but secrets stored in plugin config and file writes are normal risks to manage with standard operational controls.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.