Back to plugin

Security audit

Statocyst Realtime

Security checks across malware telemetry and agentic risk

Overview

This appears to do what it claims: connect OpenClaw to Statocyst for realtime skill-request messaging, with no obvious unrelated credential or system access.

Install this only if you intend to let OpenClaw send skill requests and payloads through your configured Statocyst server to trusted peer agents. Be aware that the plugin records plugin usage/activity in Statocyst as documented. Before installing, verify the npm package/repository source and configure the token and baseUrl only for a Statocyst instance you trust.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/e2e-container.mjs:15
Evidence
const result = spawnSync(command, args, {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/e2e-container.mjs:8
Evidence
const statocystImage = process.env.STATOCYST_IMAGE || "moltenbot/statocyst:latest";