Security audit
AgentCenter Bridge
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, config schema, and runtime instructions align with its description: it opens a persistent WebSocket to AgentCenter Cloud, forwards agent events, and accepts remote task deliveries using OpenClaw's embedding APIs.
This plugin appears to do exactly what it says, but it grants the remote AgentCenter instance significant authority: any holder of the configured token and access to the WebSocket can deliver tasks that will run embedded agent sessions inside your OpenClaw process and will receive agent roster/events (including agent outputs). Before installing, verify you trust the AgentCenter server and the origin of the setup token. Consider: (1) use a dedicated, least-privileged token and rotate it after initial registration; (2) review which local agents you expose and what data they output; (3) restrict network access (firewall or allowlist) to the AgentCenter URL if possible; (4) be aware the plugin prints a permanent per-machine token to stdout on first registration (check logs for exposure); and (5) audit agent code and runtime permissions so remote-delivered tasks cannot access sensitive host resources. If you are unsure about trusting the remote service or need stricter controls, do not enable this bridge.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
