Back to plugin

Security audit

MCPBundles

Security checks across malware telemetry and agentic risk

Overview

This plugin appears to do what it claims: it exposes MCPBundles tools through the local MCPBundles CLI, without asking for unrelated credentials or installing extra software.

This looks internally consistent, but it is a broad bridge: once enabled, the agent can use whatever services and Hub operations your logged-in MCPBundles CLI can access. Only install it if you trust MCPBundles and are comfortable letting OpenClaw invoke MCPBundles-connected tools. Also verify that the `mcpbundles` binary on the Gateway host is the one you intend to use, especially if you configure a custom command path.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:81
Evidence
const child = spawn(command, args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.ts:102
Evidence
const child = spawn(command, args, {