Back to plugin

Security audit

@nevermined-io/openclaw-plugin

Security checks across malware telemetry and agentic risk

Overview

This payments plugin is coherent, but it needs Review because it can send payment tokens and prompts to caller-supplied agent URLs without strong destination controls.

Install only if you trust the Nevermined integration and will control which agent URLs are used. Prefer browser login or a protected secret store over pasting API keys in chat or committing them to openclaw.json. Use HTTPS agent URLs, verify the destination really belongs to the intended paid agent, and avoid sending sensitive prompts or payment tokens to untrusted endpoints.

VirusTotal

2/60 vendors flagged this plugin as malicious, and 58/60 flagged it as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/auth.js:119
Evidence
execFile(cmd, args, (err) => {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/tools.js:78
Evidence
return result({ accessToken: [REDACTED] });