Back to plugin

Security audit

BytePlus Cloud Sandbox (xieyongliang)

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, runtime instructions, and requested configuration are consistent with a BytePlus VeFaaS sandbox backend: it needs user-provided endpoint and (optionally) BytePlus AK/SK for auto-creation, and it only persists a small registry file under the user's home directory.

This plugin appears to be what it says: a backend that proxies shell exec calls to a BytePlus VeFaaS sandbox via an API Gateway. Before installing, consider: (1) Only configure endpoints and API Gateway tokens you trust — the plugin will send arbitrary shell commands to that endpoint which will run in the remote sandbox. (2) Provide BytePlus AK/SK only if you want the plugin to auto-create/kill sandboxes; if you prefer to avoid giving credentials, pre-create a sandbox and set endpoint + sandboxId (and an optional API Gateway token). (3) The plugin writes ~/.openclaw/byteplus-sandbox-registry.json to cache sandbox IDs and will attempt cleanup on process exit if credentials exist; be aware of that file and remove it if you want to revoke cached associations. (4) Verify the plugin source (github repo and author) and rotate credentials if you later remove the plugin. Overall the plugin is internally consistent with its purpose; treat network endpoints and credentials as sensitive.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.