Back to plugin

Security audit

My Wallet for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This wallet bundle is purpose-aligned, but it should be reviewed carefully because it runs bundled Node MCP code, handles self-custodial wallet secrets and funds, persists wallet state locally, and static scanning flagged hardcoded secrets and obfuscated code.

Review this as a high-risk financial integration, not a simple informational skill. Only install it if you trust the publisher and understand that it can run local wallet code, persist wallet state, and handle seed/password material. Avoid using significant funds until the hardcoded-secret and obfuscation findings are explained or resolved, and require explicit confirmations for all transfers, swaps, signing, and approval/autonomy changes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.obfuscated_code

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
payload/200.cjs:18446
Evidence
apiKey: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
payload/409.cjs:890
Evidence
password: [REDACTED]

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
payload/964.cjs:1081
Evidence
password: [REDACTED]

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
payload/200.cjs:1187
Evidence
const data = Buffer.from(src, 'base64');