Back to plugin

Security audit

FlowBoard

Security checks across malware telemetry and agentic risk

Overview

FlowBoard is a local project dashboard and OpenClaw context hook whose sensitive capabilities are disclosed, purpose-aligned, and bounded to local project coordination.

Install this only if you want a local service that can read, edit, and delete FlowBoard project/task data and inject active project context into OpenClaw agents. Keep the default loopback binding unless you configure authentication, prefer environment variables for secrets, and treat any same-user local process that can reach the dashboard port as able to operate the FlowBoard API.

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dashboard/server.js:1736
Evidence
// /api/info for the new version). FLOWBOARD_UPDATE_DRY=1 skips the spawn (tests).

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dashboard/specify-worker-openclaw.js:19
Evidence
// Static-scanner note (T-417-18): execFile (NO shell) with a fixed binary and a

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup.mjs:57
Evidence
const r = spawnSync(cmd, args, { stdio: 'inherit', ...opts });

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dashboard/github.js:9
Evidence
const ENV_TOKEN = process.env.FLOWBOARD_GITHUB_TOKEN || process.env.GITHUB_TOKEN || '';

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dashboard/server.js:14
Evidence
const PORT = parseInt(process.env.FLOWBOARD_PORT, 10) || 18790;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dashboard/server.js:179
Evidence
const secretKey = [REDACTED]('sha256', TELEGRAM_WEBAPP_HMAC_SALT).update(token).digest();