Back to plugin

Security audit

Openclaw Provider Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Dymo provider plugin, but it uses an undocumented default API domain and silently patches network requests, so users should review it before installing.

Review this plugin carefully before installing. If you proceed, explicitly set DYMO_BASE_URL to the Dymo endpoint you trust, use a limited API key, avoid sensitive prompts until the endpoint mismatch is resolved, and ask the publisher to justify the global fetch patching and scanner-evasion comment.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:264
Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.ts:256
Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;