Security audit
@zytrux/daoyu
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, documentation, and runtime behavior are coherent with its stated purpose (a Daoyu WebSocket channel for OpenClaw); it requires bot credentials in config and opens persistent connections to the declared Daoyu endpoints, which is expected for this type of plugin.
This plugin appears to do what it says: open a persistent, signed WebSocket to a Daoyu server and route messages into OpenClaw. Before installing: (1) only provide appId/appSecret for a Daoyu server you trust and verify the serverUrl you configure (default is https://api.aidaoyu.cn); (2) keep auth.signatureDebug disabled in production to avoid verbose signature debug logs that could leak metadata; (3) be aware the plugin may write a generated deviceId into your OpenClaw config file and will open long-lived network connections (user messages will be sent to the remote server); (4) do not commit openclaw.json with appSecret/accessToken to source control and rotate secrets if exposed. If you want extra assurance, review the token request implementation (token.ts) and confirm the configured tokenPath/serverUrl point to your intended server before enabling the channel.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
