ClawHub
Back to plugin

Security audit

ActiveWiki — OpenClaw Wiki Integration

Security checks across malware telemetry and agentic risk

Overview

The package shows only low-impact hygiene and documentation concerns, with no artifact-backed evidence of hidden, destructive, or data-exfiltrating behavior.

This looks acceptable to install from the reviewed evidence. Users who need stricter supply-chain controls should pin dependencies or install from a lockfile-backed release, and should confirm any Discord/reviewer notifications are appropriate for their team language and workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The policy allows locale constraints only when the skill offers user opt-in or clearly documents a justified region-specific need. Here, the Discord review template uses German phrases like "Neue Regel zum Review" and "Bestätigen oder Ablehnen" in an otherwise English README, with no indication that reviewers can choose language or that German is required for compliance or regional operation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"clean": "rm -rf dist"
  },
  "devDependencies": {
    "@types/node": "^25.9.1",
    "openclaw": "^2026.5.27",
    "typescript": "^6.0.3"
  },
Confidence
40% confidence
Finding
"@types/node": "^25.9.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@types/node": "^25.9.1",
    "openclaw": "^2026.5.27",
    "typescript": "^6.0.3"
  },
  "openclaw": {
Confidence
40% confidence
Finding
"openclaw": "^2026.5.27"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"devDependencies": {
    "@types/node": "^25.9.1",
    "openclaw": "^2026.5.27",
    "typescript": "^6.0.3"
  },
  "openclaw": {
    "plugin": "./openclaw.plugin.json",
Confidence
40% confidence
Finding
"typescript": "^6.0.3"

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal