Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Content
// Run whisper transcription with spawnSync (no shell, argument array)
Threema
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a Threema Gateway plugin that asks for the kinds of credentials and capabilities needed to send, receive, encrypt, and transcribe Threema messages.
Before installing, make sure you are comfortable giving this plugin your Threema Gateway secret and E2E private key in OpenClaw configuration, because those are necessary for it to send and decrypt messages. If you enable voice transcription, it will run local Whisper on received audio files. The main thing to double-check is the package/version mismatch in the lockfile, but the observed behavior is consistent with the advertised Threema Gateway plugin purpose.
SkillSpector
By NVIDIA
SkillSpector findings are pending for this release.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
process.env.HOME || "/tmp",
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Content
this.secretKey = [REDACTED];
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
- Content
/**
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.