Security audit
@soimy/openclaw-channel-powpow
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, README, and runtime instructions are internally consistent with a WebSocket-based OpenClaw Channel that connects to the PowPow service; it does not request unrelated credentials or install unusual third-party binaries.
This plugin appears to do exactly what it claims: manage WebSocket connections to the PowPow platform and forward messages to OpenClaw. Before installing, confirm you trust the PowPow service (default wss://global.powpow.online:8080) and that you want OpenClaw to connect to that external host. Protect any digitalHumanId values you insert in configuration (they act like account identifiers). If you want to limit risk, run the plugin in an environment with restricted network access or restrict the wsUrl to a vetted endpoint, enable allowlist/blocklist policies, and enable debug logs only temporarily when troubleshooting.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
