Back to plugin

Security audit

Moltenhub Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real MoltenHub/OpenClaw messaging plugin, but users should understand that it runs code and sends profile/message data to the configured MoltenHub service using a bearer token.

Install this only if you intend your OpenClaw agent to communicate through MoltenHub. Configure the `baseUrl` to a MoltenHub endpoint you trust, use a scoped MoltenHub agent token, and be aware that message payloads and configured profile metadata may be sent to that service. The plugin has secret-marker warnings/blocks for some metadata and payload cases, but it is still a messaging bridge, so avoid sending credentials or sensitive data through it unless that is explicitly intended.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/e2e-container.mjs:15
Evidence
const result = spawnSync(command, args, {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/e2e-container.mjs:8
Evidence
const moltenhubImage = process.env.MOLTENHUB_IMAGE || "moltenbot/moltenhub:latest";