Back to plugin

Security audit

PageIQ

Security checks across malware telemetry and agentic risk

Overview

The skill's code, docs, and runtime behavior are consistent with its stated purpose (cache-first SDF lookups, local LLM extraction on cache misses, and submissions to api.sdfprotocol.com); only small configuration/declared-env mismatches were found.

This skill appears to do what it claims: it checks the SDF cache, fetches webpages on misses, asks your agent's LLM to extract structured SDF JSON, and posts submissions to api.sdfprotocol.com. Before installing: (1) Be prepared to provide an SDF API key in the plugin config (openclaw.plugin.json requires it). (2) Note bridge.py also reads SDF_API_KEY and AGENTWEB_MODEL_* env vars — review whether you want to set those in your environment. (3) The engine fetches arbitrary URLs and sends page text to your llm_fn; if your llm_fn uses a remote model provider, page content (possibly sensitive) will be transmitted to that provider. (4) Confirm you trust sdfprotocol.org before giving an API key (submissions and extracted SDF are sent there). If you want extra assurance, run the included tests locally and/or review/limit the llm_fn to a local model or to a model provider you control.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.