Back to plugin

Security audit

Apify

Security checks across malware telemetry and agentic risk

Overview

The plugin’s core Apify scraping function is coherent, but it grants broad plugin-tool permission and can expose an API key and user inputs in ways users should review before installing.

Review this before installing. Use a limited Apify token if possible, avoid entering secrets or regulated data into Actor inputs, and change the generated tools.alsoAllow entry from group:plugins to the specific apify tool unless you intentionally want all plugin tools enabled. Treat scraped results as untrusted external content.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/bump-openclaw.mjs:28
Evidence
const result = spawnSync(cmd, args, {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/cli.js:161
Evidence
apiKey = [REDACTED](apiKey);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/cli.ts:189
Evidence
apiKey = [REDACTED](apiKey);