Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:165
- Evidence
const qrProcess = spawn(command.command, command.args, {
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears purpose-built rather than malicious, but it gives a remote bridge and LLM-driven remediation path too much local authority for automatic installation without careful review.
Install only if you trust the NovoLens bridge operator and want the security-fix features. Review or disable automatic remediation where possible, avoid exposing NOVOLENS_QR_HOST beyond loopback, treat any printed API key or binding URL as secret, and use a least-privileged OpenClaw account with backups before enabling remote security fixes.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command, suspicious.exposed_secret_literal
const qrProcess = spawn(command.command, command.args, {spawn("cmd", ["/c", "start", "", filePath], { detached: true, stdio: "ignore" }).unref();return execSync(cmd, {return execSync(cmd, { encoding: 'utf-8', timeout, stdio: ['pipe', 'pipe', 'pipe'] }).trim();const qrProcess = spawn(command.command, command.args, {spawn("cmd", ["/c", "start", "", filePath], { detached: true, stdio: "ignore" }).unref();return execSync(cmd, {return execSync(cmd, { encoding: 'utf-8', timeout, stdio: ['pipe', 'pipe', 'pipe'] }).trim()rm -rf ~/.openclaw/extensions/novolens-plugin-openclaw
apiKey: [REDACTED],
out.apiKey = [REDACTED]();
...(patch.apiKey !== undefined ? { apiKey: [REDACTED]() } : {}),apiKey: [REDACTED],
if (typeof account.apiKey === 'string' && [REDACTED]()) out.apiKey = [REDACTED]();
...(patch.apiKey !== undefined ? { apiKey: [REDACTED]() } : {}),