Back to plugin

Security audit

PyFix

Security checks across malware telemetry and agentic risk

Overview

The plugin's code and runtime instructions match its stated purpose (diagnosing Python tracebacks); no credentials or unusual runtime permissions are requested — the only oddity is a very large package-lock.json containing cloud/SDK packages that the plugin's code does not use.

This skill appears to do what it says: parse Python tracebacks and provide explanations and fixes, and it will auto-annotate tool output when installed. Before installing, consider these checks: 1) verify the published npm package (openclaw-pyfix) metadata on the registry — confirm its package.json (dependencies) matches the source here; 2) inspect the package contents you will install (npm pack / unpack) to ensure the large package-lock contents are not being shipped as runtime dependencies; 3) if you want extra caution, run the plugin locally in an isolated environment and run the test suite (npm install && npm test) to observe behavior; 4) remember the plugin will automatically annotate tool output via after_tool_call, so if you want to restrict automatic annotations you can control plugin activation or permissions in your OpenClaw configuration. The main oddity is a large package-lock.json listing unrelated SDKs — this is likely a leftover dev artifact but worth verifying before trusting the published package.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.