Back to plugin

Security audit

Nebius Token Factory

Security checks across malware telemetry and agentic risk

Overview

The plugin's files, manifest, and runtime instructions are consistent with a Nebius Token Factory provider for OpenClaw and the requested credential (NEBIUS_API_KEY) matches the stated purpose.

This package appears to do what it says: register a Nebius provider and require a single Nebius API key. Before installing: 1) Confirm you obtained the API key from studio.nebius.ai and trust that endpoint. 2) Back up any existing ~/.openclaw/agents/main/agent/auth-profiles.json and your current plugins.allow value before modifying them. 3) If you are not on macOS, do not run the launchctl instructions — use the equivalent method for your OS (systemd service env or other) so the OpenClaw gateway can access the key. 4) Verify the plugin source (the repo URL in package.json) and inspect the dist/index.js if you want to double-check network endpoints; it references only api.tokenfactory.nebius.com. 5) Installing third‑party plugins grants them the ability to be invoked by agents — this plugin is user-invocable and not forced (always:false), but consider whether you want the plugin enabled for autonomous agent actions in your environment.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.