Security audit
DG-Lab V3 Controller
Security checks across malware telemetry and agentic risk
Overview
The plugin’s code, commands, and requirements are consistent with its stated purpose (remote WebSocket control of DG‑Lab V3 and an AI-driven 'emotion' engine), but it carries safety and network‑exposure risks you should consider before installing.
This plugin appears to do what it says, but it controls real electrical stimulation hardware and requires network exposure — both are safety-sensitive. Before installing: (1) Review the remote install.sh (do not run it blindly). (2) Prefer local-only or VPN/SSH-tunneled access rather than exposing TCP/18888 to the public Internet. (3) Set and verify hardware-side safety limits in the official DG‑Lab App (the software limit is not a substitute). (4) Keep `/dg_emotion` off until you understand and test behavior; test every command at the lowest intensity and confirm the plugin’s behavior in a controlled environment. (5) Inspect the included code (dist/*.js) if you can, or run the plugin in an isolated VM/container if you must expose a port. (6) Verify the QR pairing URL (it uses https://www.dungeon-lab.com) matches the official ecosystem you expect. If you are uncomfortable with network exposure or autonomous AI-triggered stimulation, do not install or only enable with strict network controls and supervision.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
