Back to plugin

Security audit

ClawWatch

Security checks across malware telemetry and agentic risk

Overview

ClawWatch appears to do what it claims: run a background telemetry agent that reports OpenClaw/node metrics to a ClawWatch server.

Install this only if you are comfortable sending node telemetry such as CPU, memory, disk/GPU data, local IP/region-style metadata, token usage, and OpenClaw status information to the ClawWatch Worker at `https://cw.osglab.win` or your configured Worker. The main behavior matches the description, but note the small metadata inconsistencies and that the provided `src/agent.mjs` content was truncated in the review data, so this assessment has medium—not high—confidence.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:43
Evidence
runChild = spawn(process.execPath, [agentScript, "run", "--base", base], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/agent.mjs:226
Evidence
const out = execSync('df -h / | tail -1', { timeout: 5000 }).toString().trim();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.ts:63
Evidence
runChild = spawn(process.execPath, [agentScript, 'run', '--base', base], {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/agent.mjs:43
Evidence
const LANG = (process.env.OPENCLAW_LANG || Intl.DateTimeFormat().resolvedOptions().locale || 'en')