Back to plugin

Security audit

Emperor Claw OS

Security checks across malware telemetry and agentic risk

Overview

This plugin’s bridge purpose is clear, but its setup grants persistent local execution and broad Emperor API authority with under-scoped secret handling and remote code execution during bootstrap.

Install only if you trust the publisher and the configured Emperor API host to deliver executable code. Use a narrowly scoped, revocable token, expect a persistent local bridge service, review the companion directory and .env permissions, and rotate the token if the bridge has already exposed it to model prompts or logs.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/runtime/services.js:65
Evidence
const child = spawn(nodeBin, [bridgePath], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/runtime/services.ts:70
Evidence
const child = spawn(nodeBin, [bridgePath], {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/cli/register.js:50
Evidence
emperorTokenPresent: Boolean(process.env.EMPEROR_API_TOKEN || process.env.EMPEROR_CLAW_API_TOKEN),

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/install/bootstrap.js:18
Evidence
return process.env.OPENCLAW_HOME || path.join(os.homedir(), ".openclaw");

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/src/install/health.js:142
Evidence
const envApiUrl = String(process.env.EMPEROR_API_URL || process.env.EMPEROR_CLAW_API_URL || "").trim();

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
runtime/bridge.cjs:29
Evidence
const API_URL = process.env.EMPEROR_CLAW_API_URL || "https://emperorclaw.malecu.eu";

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/cli/register.ts:53
Evidence
emperorTokenPresent: Boolean(process.env.EMPEROR_API_TOKEN || process.env.EMPEROR_CLAW_API_TOKEN),

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/install/bootstrap.ts:41
Evidence
return process.env.OPENCLAW_HOME || path.join(os.homedir(), ".openclaw");

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/install/health.ts:166
Evidence
const envApiUrl = String(process.env.EMPEROR_API_URL || process.env.EMPEROR_CLAW_API_URL || "").trim();