Back to plugin

Security audit

StablePay OpenClaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This looks like a real StablePay wallet/payment plugin, but it gives the agent high-impact signing and payment abilities without a clear per-use confirmation boundary.

Install only if you trust the StablePay publisher and backend. Before using real funds or real OWS credentials, set conservative limits, keep auto-purchase disabled or at 0 unless intended, require manual review for each signature/payment, and verify the configured backend and OWS REST URLs.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/runtime.js:451
Evidence
const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/runtime.ts:610
Evidence
const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/runtime.js:266
Evidence
const token = process.env[this.cfg.owsRestApiKeyEnv];

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
showmethemoney-skill/demo-backend/server.mjs:4
Evidence
const PORT = Number(process.env.PORT || 8787);

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/runtime.ts:399
Evidence
const token = process.env[this.cfg.owsRestApiKeyEnv];

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
examples/plugins.entries.sample.json:7
Evidence
"backendBaseUrl": "http://127.0.0.1:28080",

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:13
Evidence
"default": "http://127.0.0.1:8080",