Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- scripts/bump-openclaw.mjs:28
- Evidence
const result = spawnSync(cmd, args, {
Security audit
Security checks across malware telemetry and agentic risk
The plugin’s core Apify scraping function is coherent, but it grants broad plugin-tool permission and can expose an API key and user inputs in ways users should review before installing.
Review this before installing. Use a limited Apify token if possible, avoid entering secrets or regulated data into Actor inputs, and change the generated tools.alsoAllow entry from group:plugins to the specific apify tool unless you intentionally want all plugin tools enabled. Treat scraped results as untrusted external content.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
const result = spawnSync(cmd, args, {apiKey = [REDACTED](apiKey);
apiKey = [REDACTED](apiKey);