Back to plugin

Security audit

Openclaw Guard

Security checks across malware telemetry and agentic risk

Overview

The skill's code, instructions, and requirements are coherent with its stated purpose (a local pre-call guard) and there are no requests for unrelated credentials, remote downloads, or unexpected system access.

This plugin appears to do exactly what it claims: locally estimate tokens/costs and block or suggest a cheaper model. Before installing, confirm you trust the publisher (the plugin will run code inside your agent), keep debug off in production (debug logs redact common secret key names but might not catch non-standard names), and set conservative maxBudgetUsd/maxTokensPerRequest values appropriate for your environment. If you need extra assurance, review the small codebase (it has a single npm dependency, zod) or run tests in an isolated environment prior to deployment.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.