Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
const child = spawn(command, args, {
MCPBundles
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This plugin appears to do what it claims: it exposes MCPBundles tools through the local MCPBundles CLI, without asking for unrelated credentials or installing extra software.
This looks internally consistent, but it is a broad bridge: once enabled, the agent can use whatever services and Hub operations your logged-in MCPBundles CLI can access. Only install it if you trust MCPBundles and are comfortable letting OpenClaw invoke MCPBundles-connected tools. Also verify that the `mcpbundles` binary on the Gateway host is the one you intend to use, especially if you configure a custom command path.
SkillSpector
By NVIDIA
SkillSpector findings are pending for this release.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
const child = spawn(command, args, {
VirusTotal
62/62 vendors flagged this plugin as clean.