Back to plugin

Security audit

@zytrux/daoyu

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, documentation, and runtime behavior are coherent with its stated purpose (a Daoyu WebSocket channel for OpenClaw); it requires bot credentials in config and opens persistent connections to the declared Daoyu endpoints, which is expected for this type of plugin.

This plugin appears to do what it says: open a persistent, signed WebSocket to a Daoyu server and route messages into OpenClaw. Before installing: (1) only provide appId/appSecret for a Daoyu server you trust and verify the serverUrl you configure (default is https://api.aidaoyu.cn); (2) keep auth.signatureDebug disabled in production to avoid verbose signature debug logs that could leak metadata; (3) be aware the plugin may write a generated deviceId into your OpenClaw config file and will open long-lived network connections (user messages will be sent to the remote server); (4) do not commit openclaw.json with appSecret/accessToken to source control and rotate secrets if exposed. If you want extra assurance, review the token request implementation (token.ts) and confirm the configured tokenPath/serverUrl point to your intended server before enabling the channel.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.