Pluginv0.2.0

Static analysis security

StablePay OpenClaw Plugin · Deterministic local checks for risky code patterns and metadata mismatches.

SuspiciousApr 5, 2026, 1:17 PM

Summary: Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source (+1 more)
Reason codes: suspicious.dangerous_execsuspicious.env_credential_accesssuspicious.install_untrusted_sourcesuspicious.potential_exfiltration
Engine: v2.2.0

criticaldist/runtime.js:451

Shell command execution detected (child_process).

const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

criticalsrc/runtime.ts:610

Shell command execution detected (child_process).

const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

criticaldist/runtime.js:266

Environment variable access combined with network send.

const token = process.env[this.cfg.owsRestApiKeyEnv];

criticalshowmethemoney-skill/demo-backend/server.mjs:4

Environment variable access combined with network send.

const PORT = Number(process.env.PORT || 8787);

criticalsrc/runtime.ts:399

Environment variable access combined with network send.

const token = process.env[this.cfg.owsRestApiKeyEnv];

warnexamples/plugins.entries.sample.json:7

Install source points to URL shortener or raw IP.

"backendBaseUrl": "http://127.0.0.1:28080",

warnopenclaw.plugin.json:13

Install source points to URL shortener or raw IP.

"default": "http://127.0.0.1:8080",

warndist/runtime.js:391

File read combined with network send (possible exfiltration).

const encrypted = await fs.readFile(this.cfg.localStatePath, "utf8");

warnsrc/runtime.ts:541

File read combined with network send (possible exfiltration).

const encrypted = await fs.readFile(this.cfg.localStatePath, "utf8");