Security audit
Hasdata Openclaw Plugin
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, docs, and runtime behavior are consistent with its stated purpose (making authenticated calls to api.hasdata.com for real-time web data); the only issues are a small metadata omission and an unexpected pre-scan pattern flagged in the SKILL.md.
This plugin appears to do what it says: it calls HasData (api.hasdata.com) using a HasData API key. Before installing: 1) Confirm you are comfortable sending scraped page contents and any params to HasData (requests and returned content go to HasData's service). 2) Provide only the HasData API key (HASDATA_API_KEY or save it under plugins.entries.hasdata.config.apiKey) and secure ~/.openclaw/openclaw.json (chmod 600) if you store it there. 3) Note the registry metadata in the listing omitted the required env var; rely on the plugin's openclaw.plugin.json / README/SECURITY.md which correctly document HASDATA_API_KEY. 4) Inspect the truncated portion of the SKILL.md (pre-scan flagged a 'base64-block') to be certain no hidden instructions or data are present. 5) Monitor usage (credits returned in responses) and avoid giving the plugin any unrelated credentials — it only needs the HasData API key. If you want extra caution, run the plugin in a restricted environment or test account first.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
