Back to plugin

Security audit

pi-shell-acp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw-to-pi bridge, but it needs review because it forwards sensitive runtime context to a spawned child process and logs prompt metadata by default.

Install only if you trust the local pi binary and backend CLIs it will invoke. Prefer in-container backend login over host credential bind mounts, avoid passing broad secret-filled environments to the OpenClaw gateway, keep gateway logs private, and periodically review or clean ~/.pi/agent state if prompts or workspace data may be sensitive.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:417
Evidence
let match = re.exec(text);

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.ts:606
Evidence
let match = re.exec(text);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:936
Evidence
apiKey: "[REDACTED]",

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/index.ts:1229
Evidence
apiKey: "[REDACTED]",