Back to plugin

Security audit

元宝 Bot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Tencent YuanBao bot channel plugin, with credentials, WebSocket messaging, media handling, log submission, and upgrade features that mostly match what it claims to do.

Before installing, make sure you trust the publisher because this plugin will receive your YuanBao AppID/AppSecret and will handle bot conversations and media. Be aware that `/issue-log` can upload diagnostic logs, and the upgrade command may change the installed plugin version. I did not see clear internal incoherence in the provided files, but confidence is medium because many source files were omitted or truncated in the supplied artifact.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/commands/upgrade.js:8
Evidence
const result = execSync('which npm', {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/module/log-upload/extractor.js:10
Evidence
const result = execSync('which openclaw', {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/module/log-upload/cos-upload.js:9
Evidence
|| process.env.logUploadApiUrl?.trim()