Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:43
- Evidence
runChild = spawn(process.execPath, [agentScript, "run", "--base", base], {
Security audit
Security checks across malware telemetry and agentic risk
ClawWatch appears to do what it says: run a Node-based telemetry agent that reports OpenClaw/node metrics to a ClawWatch Worker.
Install this only if you intend to send node telemetry to ClawWatch, especially the default Worker at https://cw.osglab.win unless you configure a self-hosted Worker. Expect it to run continuously after the plugin is enabled and to report system metrics, token/status fields, and some node metadata such as local IP/region/GPU model. Protect ~/.clawwatch/agent.json because it contains the node secret. Confidence is medium rather than high because the provided src/agent.mjs content was truncated, so the full runtime agent code was not completely reviewable here.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
runChild = spawn(process.execPath, [agentScript, "run", "--base", base], {const out = execSync('df -h / | tail -1', { timeout: 5000 }).toString().trim();runChild = spawn(process.execPath, [agentScript, 'run', '--base', base], {const LANG = (process.env.OPENCLAW_LANG || Intl.DateTimeFormat().resolvedOptions().locale || 'en')