Back to plugin

Security audit

NovoLens

Security checks across malware telemetry and agentic risk

Overview

This plugin appears purpose-built rather than malicious, but it gives a remote bridge and LLM-driven remediation path too much local authority for automatic installation without careful review.

Install only if you trust the NovoLens bridge operator and want the security-fix features. Review or disable automatic remediation where possible, avoid exposing NOVOLENS_QR_HOST beyond loopback, treat any printed API key or binding URL as secret, and use a least-privileged OpenClaw account with backups before enabling remote security fixes.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:165
Evidence
const qrProcess = spawn(command.command, command.args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/open-qr-window.js:19
Evidence
spawn("cmd", ["/c", "start", "", filePath], { detached: true, stdio: "ignore" }).unref();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/remediation-executor.js:61
Evidence
return execSync(cmd, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/security-scanner.js:26
Evidence
return execSync(cmd, { encoding: 'utf-8', timeout, stdio: ['pipe', 'pipe', 'pipe'] }).trim();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.ts:199
Evidence
const qrProcess = spawn(command.command, command.args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/open-qr-window.ts:19
Evidence
spawn("cmd", ["/c", "start", "", filePath], { detached: true, stdio: "ignore" }).unref();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/remediation-executor.ts:65
Evidence
return execSync(cmd, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/security-scanner.ts:74
Evidence
return execSync(cmd, { encoding: 'utf-8', timeout, stdio: ['pipe', 'pipe', 'pipe'] }).trim()

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README.md:72
Evidence
rm -rf ~/.openclaw/extensions/novolens-plugin-openclaw

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/channel.js:63
Evidence
apiKey: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/config.js:125
Evidence
out.apiKey = [REDACTED]();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/setup-wizard.js:79
Evidence
...(patch.apiKey !== undefined ? { apiKey: [REDACTED]() } : {}),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/channel.ts:117
Evidence
apiKey: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config.ts:180
Evidence
if (typeof account.apiKey === 'string' && [REDACTED]()) out.apiKey = [REDACTED]();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/setup-wizard.ts:92
Evidence
...(patch.apiKey !== undefined ? { apiKey: [REDACTED]() } : {}),