Back to plugin

Security audit

OpenClaw Agent Team

Security checks across malware telemetry and agentic risk

Overview

The plugin largely matches its stated purpose, but its iPhone bridge exposes powerful OpenClaw access with weak and over-disclosed token handling.

Review before installing. Use only on a trusted machine and trusted network, do not expose the bridge port to a LAN or internet you do not control, and treat the iPhone connection line like a password. Prefer a version that requires the full token, avoids returning the token in general profile data, and uses a tighter local-only or explicitly secured transport.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/gui/service.js:441
Evidence
const match = /^data:image\/([\w+-]+);base64,/.exec(dataUri);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/bridge/server.js:37
Evidence
authToken: [REDACTED],