Back to plugin

Security audit

Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin clearly does workspace syncing through GitHub, but it also enables silent automatic pull/push of skills, memory, and settings by default, which can change local agent behavior and upload sensitive workspace content without per-session review.

Install only if you intentionally want your OpenClaw skills, memory, and settings synced through GitHub. Use a private repository, restrict GitHub credentials, review the synced paths, and consider turning off autoSync until you are comfortable with automatic session start/end pulls and pushes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.