Back to plugin

Security audit

OpenSpec Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin mostly matches its OpenSpec purpose, but a file-dump feature can be steered outside the intended OpenSpec change folder and the plugin gives agents a broad raw CLI passthrough.

Install only if you trust the local OpenSpec CLI and need this workflow. Before using it, pin the OpenSpec version, set `allowedRoots` to specific repositories, consider enabling `readOnly`, avoid `openspec_run` unless you approve the exact arguments, and do not use `includeFiles` on untrusted change names until the path-containment issue is fixed.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/runner.ts:30
Evidence
const child = spawn(command, args, {