Security audit
Openclaw Plugin
Security checks across malware telemetry and agentic risk
Overview
This plugin clearly does workspace syncing through GitHub, but it also enables silent automatic pull/push of skills, memory, and settings by default, which can change local agent behavior and upload sensitive workspace content without per-session review.
Install only if you intentionally want your OpenClaw skills, memory, and settings synced through GitHub. Use a private repository, restrict GitHub credentials, review the synced paths, and consider turning off autoSync until you are comfortable with automatic session start/end pulls and pushes.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Static analysis
No suspicious patterns detected.
