Even G2 Bridge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The bridge is purpose-aligned, but it can expose a public route to the user's full OpenClaw agent if misconfigured and it allows voice-triggered background tasks with high-impact potential.
Install only if you are comfortable making a Cloudflare Worker a voice front door to your OpenClaw agent. Before use, set a strong G2_TOKEN, test that invalid requests get 401, use a scoped Gateway token or separate agent profile, keep confirmations for mutating tools, and configure Telegram/OpenAI/Anthropic only for data you are willing to send to those services.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A deployment mistake could turn the Worker into an unauthenticated public front door to the user's OpenClaw Gateway.
The bearer-token check only runs when G2_TOKEN exists. If the secret is missing or misnamed while GATEWAY_TOKEN is configured, the public Worker can accept POSTs without G2 authentication and relay them to the Gateway.
if (env.G2_TOKEN) { const auth = request.headers.get('Authorization'); if (auth !== `Bearer ${env.G2_TOKEN}`) return json({ error: 'Unauthorized' }, 401); }Fail closed when G2_TOKEN is missing, add a startup/deploy check for all required secrets, use a long random G2 token, and verify invalid requests return 401 before using the bridge.
A misheard, replayed, or unauthorized voice command could start agent work that affects code, deployments, or other tools before the user reviews the full output.
The Worker explicitly treats deploy/commit/push requests as background tasks. Combined with the bridge's use of the main OpenClaw Gateway agent, this creates a high-impact voice-command path without a documented confirmation boundary in the Worker.
else if (/deploy|部署|commit|push/.test(content)) taskDesc = 'deploying'; ctx.waitUntil(executeLongTask(env, content, taskDesc));
Use a separate low-privilege Gateway token or dedicated agent profile for G2, require explicit confirmation for deploy/commit/push or other mutating actions, and keep downstream tool approvals enabled.
Voice prompts and agent outputs, which may include sensitive details, can be delivered to a Telegram chat.
When Telegram is configured, the Worker sends both the user's task text and the Gateway result to Telegram. This is disclosed and purpose-aligned for rich content delivery, but it is still an external data flow.
await sendToTelegram(env, `🕶️ G2 Task Complete ✅\n\n📋 Task: ${content}\n\n💬 Result:\n${reply}`);Configure Telegram only for trusted chats, avoid using the bridge for sensitive tasks unless that data may be sent to Telegram, and consider redaction or opt-in delivery for long outputs.
Anyone with access to the glasses token may be able to interact with the same agent memory and tool context the user normally uses.
The skill intentionally shares the user's main agent memory and tools with the glasses interface. That is central to the purpose, but it means G2-originated text can influence or access the same agent context.
same agent, same memory, same tools, just voice instead of typing.
Treat the G2 token like full agent access, rotate it if glasses are lost, and consider using a separate agent or memory scope for the glasses.
Automated install or permission review may not warn users that the Worker needs Gateway and provider tokens.
The registry metadata under-declares the secrets that SKILL.md and worker.js require. The README discloses them, so this is a metadata/provenance gap rather than hidden credential use.
Required env vars: none ... Primary credential: none
Update registry metadata/capability declarations to list the required secrets, credential purpose, and external services.