ClawHub

Openclaw Twitch 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This official OpenClaw Twitch plugin behaves like a normal Twitch chat integration, but users should protect Twitch tokens and logs.

Install only if you want OpenClaw to connect to Twitch chat with a bot account. Use a dedicated Twitch bot token with minimal chat scopes, restrict who can trigger the bot with allowFrom or roles, keep configuration files out of source control/backups, prefer OPENCLAW_TWITCH_ACCESS_TOKEN for the default access token when practical, and avoid verbose/debug logging in channels where chat may contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Inbound Twitch chat messages are logged with sender identity and up to 100 characters of message content. This can expose private, sensitive, or user-supplied data into operational logs, which are often retained, aggregated, or accessible to administrators beyond the original chat audience.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup wizard collects and persists sensitive Twitch credentials, including access tokens, client secrets, and refresh tokens, directly into the returned configuration object without an explicit warning or a secure-secret-storage path. In agent/plugin environments, config files are commonly checked into source control, logged, backed up, or exposed to other components, so silent persistence of long-lived secrets increases the chance of credential disclosure and account compromise.

VirusTotal

53/53 vendors flagged this plugin as clean.

View on VirusTotal