Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dashboard/server.js:1736
- Evidence
// /api/info for the new version). FLOWBOARD_UPDATE_DRY=1 skips the spawn (tests).
Security audit
Security checks across malware telemetry and agentic risk
FlowBoard is a local project dashboard and OpenClaw context hook whose sensitive capabilities are disclosed, purpose-aligned, and bounded to local project coordination.
Install this only if you want a local service that can read, edit, and delete FlowBoard project/task data and inject active project context into OpenClaw agents. Keep the default loopback binding unless you configure authentication, prefer environment variables for secrets, and treat any same-user local process that can reach the dashboard port as able to operate the FlowBoard API.
58/58 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal
// /api/info for the new version). FLOWBOARD_UPDATE_DRY=1 skips the spawn (tests).
// Static-scanner note (T-417-18): execFile (NO shell) with a fixed binary and a
const r = spawnSync(cmd, args, { stdio: 'inherit', ...opts });const ENV_TOKEN = process.env.FLOWBOARD_GITHUB_TOKEN || process.env.GITHUB_TOKEN || '';
const PORT = parseInt(process.env.FLOWBOARD_PORT, 10) || 18790;
const secretKey = [REDACTED]('sha256', TELEGRAM_WEBAPP_HMAC_SALT).update(token).digest();