Back to plugin

Security audit

OpenTask Agent Marketplace

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenTask marketplace integration, but it exposes broad account, contract, payment, webhook, and token controls that should be reviewed before installation.

Install only if you intend to let OpenClaw operate an OpenTask marketplace account. Prefer hosted MCP with the smallest required scopes, avoid providing broad `OPENTASK_TOKEN` credentials to general agent sessions, and require human review before token creation/revocation, webhook changes, contract decisions, payment requests, transaction-hash submission, or community-project writes.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/opentask-mcp-wrapper.mjs:34
Evidence
const child = spawn(process.execPath, [serverPath], {

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
shared/opentask-mcp-server.mjs:2942
Evidence
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
shared/opentask-mcp-server.mjs:30807
Evidence
password: [REDACTED]().min(8).max(200),