ClawHub
Back to plugin

Security audit

Bncr

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Bncr/OpenClaw channel bridge, with operational caveats around runtime SDK linking and verbose logs.

Install this only if you intend to connect Bncr/无界 to OpenClaw. Keep debug.verbose off in production, configure dmPolicy/groupPolicy and allowlists if you do not want open inbound handling, do not rely on requireMention yet, and make sure the host/global openclaw package path is trusted because the plugin may symlink it into its own node_modules during runtime repair.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The plugin automatically creates `node_modules` directories and rewires a symlink to an `openclaw` package discovered from global locations at runtime, altering the host filesystem without explicit approval. This can silently change dependency resolution, trust boundary, and code-loading behavior; if a malicious or unintended global package is selected, the plugin may cause the host to load attacker-controlled code.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
This code creates or rewrites `pluginDir/node_modules/openclaw` to point at a globally discovered package root derived from environment state and system lookup paths. That allows execution or import of code outside the plugin's dependency boundary, so a compromised or attacker-controlled global `openclaw` installation or manipulated `NODE_PATH`/PATH environment can influence what the plugin loads at runtime.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code accepts and propagates `requireMention` into the resolved policy while separately warning that it is 'not enforced yet'. This creates a dangerous configuration gap: operators may believe mention-gating is active and rely on it as a control, but downstream behavior may ignore it, allowing commands or interactions to be processed more broadly than intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The runtime dependency repair occurs silently, with no warning, prompt, or audit trail beyond eventual failure messages. Even if intended as self-healing, silently modifying `node_modules` and replacing symlinks can surprise operators, break deployments, or mask unsafe dependency sourcing from global package locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Silently creating or replacing a symlink under `node_modules` changes the plugin's effective dependency resolution without user awareness. Even if intended as self-repair, this can mask dependency drift and enable loading of unexpected code from global locations, increasing supply-chain and persistence risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The debug logging helper records full outbound message text, media URLs, recipient identifiers, session keys, and raw context fields into structured logs. Even with a debugOnly flag, this creates a clear data exposure risk because logs are commonly aggregated, retained, and accessed by operators or third-party tooling, turning private message content and routing metadata into secondary sensitive data stores.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This debug log records sensitive transfer metadata including accountId, sessionKey, mediaUrl, connection identifiers, and account connection details. Even if marked debugOnly, such logs often end up in centralized logging, support bundles, or misconfigured production environments, which can expose session correlation data and internal topology to unauthorized viewers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The transfer-start log exposes fileName, mediaUrl, sessionKey, accountId, file size, MIME type, and connection identifiers, all of which can reveal user activity and sensitive file-transfer context. This creates privacy and operational security risk because attackers or insiders with log access can reconstruct what was transferred and correlate it to specific sessions and users.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Logging the completion acknowledgment payload including a filesystem path can disclose local storage layout, usernames, mount points, or other environment details. While lower impact than session or transfer metadata leakage, path disclosure can still aid reconnaissance and expose sensitive user or host information through logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The handler logs inbound message metadata including a text preview derived from user-controlled content (`inboundText.slice(0, 120)`) in debug output. Even when marked `debugOnly`, this can expose sensitive user messages to logs, operators, log aggregation systems, or downstream analytics without minimization or explicit consent, creating a privacy and data leakage risk.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal