Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:81
- Evidence
const child = spawn(command, args, {
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears to do what it claims: it exposes MCPBundles tools through the local MCPBundles CLI, without asking for unrelated credentials or installing extra software.
This looks internally consistent, but it is a broad bridge: once enabled, the agent can use whatever services and Hub operations your logged-in MCPBundles CLI can access. Only install it if you trust MCPBundles and are comfortable letting OpenClaw invoke MCPBundles-connected tools. Also verify that the `mcpbundles` binary on the Gateway host is the one you intend to use, especially if you configure a custom command path.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec
const child = spawn(command, args, {const child = spawn(command, args, {