Back to plugin

Security audit

Openclaw Snip

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: it adds a snip-based wrapper for shell commands to reduce CLI output, without asking for unrelated credentials or sending data to unexpected services.

This looks internally coherent, but remember that it is effectively a shell-command wrapper: the agent can use it to run commands on your machine, just with output filtered through `snip`. Before installing, verify that you trust both this plugin and the external `snip` binary from the author's tap/GitHub project. Also note the metadata mismatch: the registry says no binary is required, but in practice `snip` must be installed for the skill to work.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.ts:40
Evidence
version = execFileSync(snipBin, ["--version"], { encoding: "utf-8" }).trim();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/tool.ts:45
Evidence
const child = spawn(snipBin, ["--", params.command], {