Back to plugin

Security audit

ClawWatch

Security checks across malware telemetry and agentic risk

Overview

ClawWatch appears to do what it says: run a Node-based telemetry agent that reports OpenClaw/node metrics to a ClawWatch Worker.

Install this only if you intend to send node telemetry to ClawWatch, especially the default Worker at https://cw.osglab.win unless you configure a self-hosted Worker. Expect it to run continuously after the plugin is enabled and to report system metrics, token/status fields, and some node metadata such as local IP/region/GPU model. Protect ~/.clawwatch/agent.json because it contains the node secret. Confidence is medium rather than high because the provided src/agent.mjs content was truncated, so the full runtime agent code was not completely reviewable here.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:43
Evidence
runChild = spawn(process.execPath, [agentScript, "run", "--base", base], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/agent.mjs:226
Evidence
const out = execSync('df -h / | tail -1', { timeout: 5000 }).toString().trim();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.ts:63
Evidence
runChild = spawn(process.execPath, [agentScript, 'run', '--base', base], {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/agent.mjs:43
Evidence
const LANG = (process.env.OPENCLAW_LANG || Intl.DateTimeFormat().resolvedOptions().locale || 'en')