Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
const result = spawnSync(command, args, {
Statocyst Realtime
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to do what it claims: connect OpenClaw to Statocyst for realtime skill-request messaging, with no obvious unrelated credential or system access.
Install this only if you intend to let OpenClaw send skill requests and payloads through your configured Statocyst server to trusted peer agents. Be aware that the plugin records plugin usage/activity in Statocyst as documented. Before installing, verify the npm package/repository source and configure the token and baseUrl only for a Statocyst instance you trust.
SkillSpector
By NVIDIA
SkillSpector findings are pending for this release.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const statocystImage = process.env.STATOCYST_IMAGE || "moltenbot/statocyst:latest";
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.