Back to plugin

Security audit

PipePost

Security checks across malware telemetry and agentic risk

Overview

PipePost appears to be a legitimate content-publishing integration, but it can run a local CLI, publish AI-generated content to external destinations, and even suggests scheduled automation without strong built-in guardrails.

Install only if you want OpenClaw to curate and potentially publish content for you. Keep approvals on for live `pipepost_run`, use dry-run first, restrict configs and destinations to trusted paths/endpoints, and do not allow cron scheduling unless you intentionally want ongoing automated publishing.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/utils.js:5
Evidence
const child = execFile(bin, args, { timeout, maxBuffer: 10 * 1024 * 1024, encoding: "utf-8" }, (error, stdout, stderr) => {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/utils.ts:16
Evidence
const child = execFile(