Back to plugin

Security audit

Pinclaw

Security checks across malware telemetry and agentic risk

Overview

No artifact-backed suspicious behavior could be confirmed, but the workspace artifacts could not be read in this run.

Treat this as an incomplete review rather than a clean bill of health; review metadata.json and the artifact directory contents before installing.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/cli-auth.js:100
Evidence
exec(openCmd, (err) => {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/core/ws-handler.js:56
Evidence
const iaKey = process.env.INTERACTIVE_AI_KEY || process.env.AI_API_KEY || "";

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/tools/generate-audio.js:12
Evidence
const relayToken = process.env.PINCLAW_RELAY_TOKEN;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/tools/generate-image.js:12
Evidence
const relayToken = process.env.PINCLAW_RELAY_TOKEN;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/channel.js:149
Evidence
authToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/cli-auth.js:135
Evidence
const accessToken = [REDACTED];