Back to plugin

Security audit

ACPX Runtime

Security checks across malware telemetry and agentic risk

Overview

This official OpenClaw ACP runtime is coherent and purpose-aligned, but it can launch external coding agents, keep session state, and perform pinned local repair steps.

Install if you want OpenClaw to manage ACP-backed coding-agent sessions. Review permissionMode, MCP bridge settings, configured agent commands, and mcpServers env values first, because enabled bridges or approve-all permissions can give spawned agents significant access. Expect local state and isolated Codex auth/config files under the plugin state directory, and be aware repair flows may install pinned local ACPX components and ask to restart the Gateway.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to activate on vague requests like 'continue existing harness work' or 'relay instructions to an external coding harness,' which can cause the skill to take over routing for unrelated tasks. In this skill’s context, misrouting is risky because the selected paths can invoke external runtimes, create persistent sessions, or execute CLI-based control flows, expanding the chance of unintended tool use or command execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically install software, modify plugin-local artifacts, restart the gateway, and even proceed without asking for permission first unless policy blocks it. In a security-sensitive agent environment, this creates a dangerous path for unreviewed system changes that can alter execution state, introduce supply-chain risk through package installation, and disrupt service availability.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp-proxy.mjs:100
Evidence
const child = spawn(target.command, target.args, createTargetSpawnOptions());

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/service-CzJr7Koj.js:580
Evidence
const child = spawn(command, args, {