Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Skill content
const list = execSync('openclaw cron list --json 2>/dev/null', { encoding: 'utf8' });
OpenClaw Shield
Security checks across static analysis, malware telemetry, and agentic risk
Overview
OpenClaw Shield appears purpose-built for security monitoring, but it deserves review because it includes automatic install/update code paths and sends monitoring data to an external Shield service.
Install only if you intend to run a background security-monitoring integration. Before enabling it, review the publisher and update mechanism, consider setting autoUpdate to `notify-only` or `false`, keep redaction enabled, try dry-run mode first, and protect the local Shield credential files.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If installed through a package flow that honors npm lifecycle scripts, setup code could run before the user or agent reviews the plugin behavior.
Why it was flagged
A package-manager postinstall hook can execute code during installation, but the registry says there is no install spec and the referenced `scripts/postinstall.js` is not present in the supplied file manifest.
Skill content
"scripts": { "postinstall": "node scripts/postinstall.js", ... }Recommendation
Review or remove the postinstall hook before installation, and require the publisher to include and document any install-time script.
What this means
The plugin may change its own code in the background, which increases risk if the update channel or publisher account is compromised.
Why it was flagged
The plugin defaults to automatically installing patch and minor updates. The supplied artifacts do not show enough update-source, signing, or approval controls to make that self-update path fully reviewable.
Skill content
"autoUpdate": { ... "default": true, "description": "Auto-update mode: true (auto-update patch and minor versions with rollback safety), false (disabled), or 'notify-only'" }Recommendation
Set autoUpdate to `notify-only` or `false` unless you trust the publisher and can verify the update mechanism and rollback controls.
What this means
The plugin can invoke local OpenClaw CLI commands as part of its monitoring behavior.
Why it was flagged
The plugin executes a local shell command. The command is static and appears aligned with monitoring OpenClaw cron state, but local command execution is still a capability users should notice.
Skill content
const list = execSync('openclaw cron list --json 2>/dev/null', { encoding: 'utf8' });Recommendation
Run the plugin with the least privileges needed and verify future versions do not add user-controlled shell arguments.
What this means
Agent activity and security telemetry may leave the local environment and be processed by the Shield service.
Why it was flagged
The artifact explicitly discloses that security events are transmitted to an external Shield detection platform, with redaction enabled by default and dry-run available.
Skill content
"description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform."
Recommendation
Keep redaction enabled, test with dryRun if needed, and confirm the external service's data handling policy before enabling production monitoring.
What this means
Anyone who can read the local Shield config file may be able to impersonate or access this Shield instance.
Why it was flagged
The plugin obtains and stores an HMAC secret for the Shield service. It uses restrictive file permissions, but this is still a credential users should protect.
Skill content
`SHIELD_HMAC_SECRET=${hmacSecret}` ... writeFileSync(SHIELD_CONFIG_PATH, envContent, { encoding: 'utf-8', mode: 0o600 });Recommendation
Protect the `~/.openclaw/shield` configuration directory, remove the one-time installation key after activation, and rotate credentials if the file is exposed.