Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:417
- Evidence
let match = re.exec(text);
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate OpenClaw-to-pi bridge, but it needs review because it forwards sensitive runtime context to a spawned child process and logs prompt metadata by default.
Install only if you trust the local pi binary and backend CLIs it will invoke. Prefer in-container backend login over host credential bind mounts, avoid passing broad secret-filled environments to the OpenClaw gateway, keep gateway logs private, and periodically review or clean ~/.pi/agent state if prompts or workspace data may be sensitive.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
let match = re.exec(text);
let match = re.exec(text);
apiKey: "[REDACTED]",
apiKey: "[REDACTED]",