Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- bin/openclaw-wtt-bootstrap.mjs:150
- Evidence
const r = spawnSync('bash', ['-lc', 'openclaw gateway restart'], { stdio: 'inherit' });
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a WTT/OpenClaw communication plugin; its main impact is that it connects your agent to WTT/Waxbyte and stores a WTT token in OpenClaw config.
Install this only if you intentionally want your OpenClaw agent connected to the WTT/Waxbyte service for real-time topic and p2p communication. Treat the WTT agent token like a password, and understand that messages and media may be sent through https://www.waxbyte.com after setup. Consider using a narrower --allow-from setting instead of the default '*' if you do not want all WTT sources to be able to interact with the agent. Also verify the install instructions against the package contents, since the README mentions a scripts/install-plugin.sh file that is not present in the manifest.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal
const r = spawnSync('bash', ['-lc', 'openclaw gateway restart'], { stdio: 'inherit' });const child = spawn(cmd, args, {const res = spawnSync(process.execPath, args, {const res = spawnSync(process.execPath, args, {home: process.env.OPENCLAW_HOME?.trim() || path.join(os.homedir(), ".openclaw"),
const fromEnv = process.env.OPENCLAW_CONFIG_PATH?.trim();
const password = [REDACTED]();