Back to plugin

Security audit

VK Bots Channel Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin’s code, docs, and runtime instructions are coherent with a VK Long Poll channel plugin; nothing in the bundle indicates behavior beyond its stated purpose, though the README/SKILL.md mentions a VK token that the registry metadata does not list as a required env var (documentation/metadata mismatch).

This plugin appears to be what it says: a VK Long Poll channel for OpenClaw. Before installing: 1) Be prepared to provide a VK group token (the README/runbook references VK_GROUP_TOKEN or a token file) and store it securely — avoid placing tokens in world-readable locations like /root if you don't intend to run as root. 2) Verify you are installing the published npm package (openclaw-vkbots-plugin) or from a trusted local checkout; review the package contents if you need extra assurance. 3) The repo includes CI/publish workflows that reference NPM/GitHub secrets (NPM_TOKEN, GITHUB_TOKEN) for publishing; those are normal for releases and not needed to run the plugin. 4) If you need a stricter inventory, check src/token.ts and src/monitor.js (or other runtime files) for any additional network endpoints or logging behavior; from the provided files the plugin talks only to VK endpoints. 5) If the environment metadata in the registry matters for automation, note the package did not list the VK token in required env vars — add that to your provisioning docs or ask the maintainer to update metadata.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.