Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
log(`[dispatcher] exec (dynamic): ${dynamicScript.slice(0, 120)}`);
openclaw-channel-vk
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This VK plugin is mostly aligned with channel integration, but it contains undisclosed dynamic shell execution plus extra credential and provider data flows that warrant careful review before installation.
Install only after reviewing or disabling the dynamic command-execution path. If you proceed, use least-privilege VK tokens, keep DM policy on pairing or allowlist, explicitly configure any Groq/ElevenLabs/Mistral features you want, and avoid giving this plugin access to production community management until its command and provider-data boundaries are clear.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
log(`[dispatcher] exec (dynamic): ${dynamicScript.slice(0, 120)}`);
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const APP_DIR = process.env.APP_DIR || "/opt/myapp";
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const apiKey = process.env.ELEVENLABS_API_KEY;
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const APP_DIR = process.env.APP_DIR || "/opt/myapp";
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const apiKey = process.env.ELEVENLABS_API_KEY;
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI05: Unexpected Code Execution
Critical
What this means
If reachable from VK messages or button/LLM actions, remote chat input could cause commands to run on the OpenClaw host.
Why it was flagged
The static scan identifies child_process shell execution around a variable dynamicScript. Arbitrary/dynamic shell execution is not disclosed by the VK channel integration purpose.
Skill content
log(`[dispatcher] exec (dynamic): ${dynamicScript.slice(0, 120)}`);Recommendation
Do not install until this path is audited or removed. If command execution is required, restrict it to fixed allowlisted commands with explicit owner approval, sandboxing, and logging.
#
ASI02: Tool Misuse and Exploitation
High
What this means
A crafted VK message or LLM misclassification could select a script action and misuse local tools.
Why it was flagged
The public types show LLM-classified message text can produce actions carrying scripts, but the artifacts do not show a scoped command allowlist or approval boundary.
Skill content
interface ButtonAction { script?: string; scriptFn?: (text: string, peerId: number) => string | null; ... } export declare function classifyIntentWithLLM(text: string, groqKeys: string[], log: (msg: string) => void): Promise<ButtonAction | null>;Recommendation
Require explicit per-command configuration, disable LLM-generated scripts, and keep VK direct-message policy on pairing/allowlist rather than open access.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
The plugin can message users, upload media, post to the wall, and manage aspects of the VK community if given the requested token.
Why it was flagged
The setup requests broad VK community-token permissions. This is coherent with the advertised full VK management feature set, but it is high-impact account authority.
Skill content
Grant: messages, photos, docs, wall, stories, manage.
Recommendation
Use a dedicated VK community token with the least privileges you actually need, and avoid enabling broad community management unless required.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
The plugin may use an external provider account or API quota that the user did not explicitly configure for this VK channel.
Why it was flagged
The runtime reads an ElevenLabs credential even though the provided setup fields focus on VK and optional Groq transcription, and the registry metadata declares no environment variables.
Skill content
const apiKey = process.env.ELEVENLABS_API_KEY;
Recommendation
Declare all provider credentials in metadata/setup and make non-VK provider features opt-in with clear descriptions.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
A Groq key configured elsewhere in OpenClaw could be used by this plugin without the user selecting it for VK transcription or intent handling.
Why it was flagged
The runtime searches broader OpenClaw config provider credentials instead of using only the explicitly configured VK account groqApiKey.
Skill content
Collect all Groq API keys from OpenClaw config providers. Auto-discovers keys named "groq*" or pointing to api.groq.com.
Recommendation
Limit credential lookup to the account's configured key or require an explicit provider selection and consent.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Images received through VK could be processed by an external vision provider without users understanding that data path.
Why it was flagged
The artifacts indicate image OCR may fall back to a Mistral/Pixtral provider, but the setup only clearly discloses VK and optional Groq voice transcription.
Skill content
OCR an image URL. 1. Download image to /tmp 2. Run tesseract ... 3. If result is empty/too short → try Pixtral (Mistral vision API)
Recommendation
Disclose all external media-processing providers, make them opt-in, and document what content is sent, retained, and logged.