Back to plugin

Security audit

DashClaw Governance

Security checks across malware telemetry and agentic risk

Overview

This plugin does broad governance of OpenClaw tool calls and sends tool-call metadata to a configured DashClaw service, but that behavior is clearly disclosed and matches its stated purpose.

Before installing, confirm you trust the configured DashClaw instance and understand that it will receive metadata about every tool call and may block or pause actions for approval. Store the API key securely, prefer environment variables or a secrets manager, and use fail-closed only if you want governance outages to stop tool execution.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:136
Evidence
apiKey: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/index.ts:216
Evidence
apiKey: [REDACTED],