Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- index.js:63
- Evidence
const result = execSync(`bash "${ROTATOR_SCRIPT}" '${String(errorOutput).replace(/'/g, "'\\''")}'`, {
Security audit
Security checks across malware telemetry and agentic risk
This plugin’s goal is coherent, but it automatically runs a hardcoded shell script outside the package to mutate Tavily API key configuration, which is not sufficiently bounded or reviewable.
Review the referenced ~/.openclaw/workspace-feynman/scripts/tavily_key_rotator.sh before installing or enabling this skill. Avoid using it if that script is missing or untrusted, and consider waiting for a version that bundles the rotator logic, declares its API-key/config access, limits triggers to Tavily only, and asks before making persistent configuration changes.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
const result = execSync(`bash "${ROTATOR_SCRIPT}" '${String(errorOutput).replace(/'/g, "'\\''")}'`, {