Back to plugin

Security audit

Openclaw Kagi

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, README, and runtime instructions are coherent: it asks the user for a Kagi Session Link, stores it in the home directory, and uses that token to fetch Kagi HTML search results — nothing appears to request unrelated credentials or phone home to unexpected endpoints.

This plugin appears to do what it says: it asks you for your Kagi Session Link and uses it to fetch and parse Kagi HTML search results. Before installing, consider: - The Session Link is stored locally in plain JSON at ~/.openclaw/kagi.config.json. Treat it as a secret and revoke it from your Kagi account if you suspect compromise. - The plugin only communicates with kagi.com (and references its GitHub for issues); there are no other external endpoints in the code. - If you want extra assurance, review the repository code (dist/ and src/) yourself; the logic for extracting/validating the token and for HTML parsing is present and readable. - Ensure the host's filesystem permissions / umask are appropriate so that the stored token file is not broadly readable by other users on the same machine.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.