Back to plugin

Security audit

StablePay OpenClaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real StablePay wallet/payment plugin, but it grants broad wallet-signing and payment authority that users should review carefully before enabling.

Install only if you intend to give OpenClaw wallet-signing and StablePay payment capabilities. Use trusted backends, keep auto-payment thresholds minimal, protect the master key and OWS credentials, and require manual approval for raw signing or payment execution.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/runtime.js:451
Evidence
const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/runtime.ts:610
Evidence
const r = spawnSync("ows", ["--version"], { encoding: "utf8", timeout: 5000 });

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/runtime.js:266
Evidence
const token = process.env[this.cfg.owsRestApiKeyEnv];

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
showmethemoney-skill/demo-backend/server.mjs:4
Evidence
const PORT = Number(process.env.PORT || 8787);

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/runtime.ts:399
Evidence
const token = process.env[this.cfg.owsRestApiKeyEnv];

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
examples/plugins.entries.sample.json:7
Evidence
"backendBaseUrl": "http://127.0.0.1:28080",

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:13
Evidence
"default": "http://127.0.0.1:8080",