Back to plugin

Security audit

Mai Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed bridge plugin for Mai that runs the local Mai Python CLI and can use optional hosted-registry credentials, so users should only point it at a trusted Mai checkout and registry.

Install this only if you intend to use the Mai shopping/registry workflow. Verify that the Mai skill checkout and projectRoot/MAI_ROOT are trusted, configure registryUrl and MAI_API_KEY only for a registry you trust, and review any catalog, order, push, or registry-order action before letting the agent proceed.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
openclaw_compat.js:74
Evidence
const result = spawnSync(command[0], command.slice(1), {