Back to plugin

Security audit

DG-Lab V3 Controller

Security checks across malware telemetry and agentic risk

Overview

The plugin’s code, commands, and requirements are consistent with its stated purpose (remote WebSocket control of DG‑Lab V3 and an AI-driven 'emotion' engine), but it carries safety and network‑exposure risks you should consider before installing.

This plugin appears to do what it says, but it controls real electrical stimulation hardware and requires network exposure — both are safety-sensitive. Before installing: (1) Review the remote install.sh (do not run it blindly). (2) Prefer local-only or VPN/SSH-tunneled access rather than exposing TCP/18888 to the public Internet. (3) Set and verify hardware-side safety limits in the official DG‑Lab App (the software limit is not a substitute). (4) Keep `/dg_emotion` off until you understand and test behavior; test every command at the lowest intensity and confirm the plugin’s behavior in a controlled environment. (5) Inspect the included code (dist/*.js) if you can, or run the plugin in an isolated VM/container if you must expose a port. (6) Verify the QR pairing URL (it uses https://www.dungeon-lab.com) matches the official ecosystem you expect. If you are uncomfortable with network exposure or autonomous AI-triggered stimulation, do not install or only enable with strict network controls and supervision.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.