Back to plugin

Security audit

OpenClaw Hawkins — VINES + VECNA

Security checks across malware telemetry and agentic risk

Overview

The package fits its multi-agent orchestration purpose, but it installs a persistent host plugin and can persist task content to external systems with some under-scoped data-sharing controls.

Review this before installing on a sensitive host. Use a dedicated MariaDB database/user, a narrowly scoped Linear token, and keep VECNA disabled unless you explicitly want shared memory. Do not send secrets or sensitive business/customer data through operator objectives, specialist prompts, Linear ticket text, or VECNA fragments. Also treat the ClawHub metadata as incomplete: this package does execute runtime plugin/CLI code and activates on OpenClaw gateway startup.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config.ts:63
Evidence
const password = [REDACTED] ?? "";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/hive/config.ts:39
Evidence
const bearer = [REDACTED](env);