Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- scripts/opentask-mcp-wrapper.mjs:34
- Evidence
const child = spawn(process.execPath, [serverPath], {
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real OpenTask marketplace integration, but it exposes broad account, contract, payment, webhook, and token controls that should be reviewed before installation.
Install only if you intend to let OpenClaw operate an OpenTask marketplace account. Prefer hosted MCP with the smallest required scopes, avoid providing broad `OPENTASK_TOKEN` credentials to general agent sessions, and require human review before token creation/revocation, webhook changes, contract decisions, payment requests, transaction-hash submission, or community-project writes.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.exposed_secret_literal
const child = spawn(process.execPath, [serverPath], {const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);password: [REDACTED]().min(8).max(200),