Security audit
Nebius Token Factory
Security checks across malware telemetry and agentic risk
Overview
The plugin's files, manifest, and runtime instructions are consistent with a Nebius Token Factory provider for OpenClaw and the requested credential (NEBIUS_API_KEY) matches the stated purpose.
This package appears to do what it says: register a Nebius provider and require a single Nebius API key. Before installing: 1) Confirm you obtained the API key from studio.nebius.ai and trust that endpoint. 2) Back up any existing ~/.openclaw/agents/main/agent/auth-profiles.json and your current plugins.allow value before modifying them. 3) If you are not on macOS, do not run the launchctl instructions — use the equivalent method for your OS (systemd service env or other) so the OpenClaw gateway can access the key. 4) Verify the plugin source (the repo URL in package.json) and inspect the dist/index.js if you want to double-check network endpoints; it references only api.tokenfactory.nebius.com. 5) Installing third‑party plugins grants them the ability to be invoked by agents — this plugin is user-invocable and not forced (always:false), but consider whether you want the plugin enabled for autonomous agent actions in your environment.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
