Back to plugin

Security audit

openclaw-channel-vk

Security checks across malware telemetry and agentic risk

Overview

This VK plugin is mostly aligned with channel integration, but it contains undisclosed dynamic shell execution plus extra credential and provider data flows that warrant careful review before installation.

Install only after reviewing or disabling the dynamic command-execution path. If you proceed, use least-privilege VK tokens, keep DM policy on pairing or allowlist, explicitly configure any Groq/ElevenLabs/Mistral features you want, and avoid giving this plugin access to production community management until its command and provider-data boundaries are clear.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/button-dispatcher.js:853
Evidence
log(`[dispatcher] exec (dynamic): ${dynamicScript.slice(0, 120)}`);

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/button-dispatcher.js:1037
Evidence
log(`[dispatcher] exec (dynamic): ${dynamicScript.slice(0, 120)}`);

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/button-dispatcher.js:9
Evidence
const APP_DIR = process.env.APP_DIR || "/opt/myapp";

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/runtime.js:897
Evidence
const apiKey = process.env.ELEVENLABS_API_KEY;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/button-dispatcher.js:8
Evidence
const APP_DIR = process.env.APP_DIR || "/opt/myapp";

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/runtime.js:746
Evidence
const apiKey = process.env.ELEVENLABS_API_KEY;