Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- scripts/e2e-container.mjs:15
- Evidence
const result = spawnSync(command, args, {
Security audit
Security checks across malware telemetry and agentic risk
This appears to do what it claims: connect OpenClaw to Statocyst for realtime skill-request messaging, with no obvious unrelated credential or system access.
Install this only if you intend to let OpenClaw send skill requests and payloads through your configured Statocyst server to trusted peer agents. Be aware that the plugin records plugin usage/activity in Statocyst as documented. Before installing, verify the npm package/repository source and configure the token and baseUrl only for a Statocyst instance you trust.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
const result = spawnSync(command, args, {const statocystImage = process.env.STATOCYST_IMAGE || "moltenbot/statocyst:latest";