openclaw-deploy

Warn

Audited by Socket on Jun 19, 2026

1 alert found:

Anomaly
AnomalyLOW
reference/extended.md

This fragment is a deployment/operations guide that includes a local proxy relay (forwarding HTTP/CONNECT traffic through a configured upstream) and CDP-based injection/persistence of X/Twitter auth cookies (auth_token/ct0/twid) into a headless Chromium session, saving cookies to disk. There is no overt evidence of covert malware (e.g., C2/exfil endpoints, obfuscation, crypto mining, reverse shell) within the shown code. However, it performs highly sensitive authentication manipulation and persists credentials, and it overwrites /usr/bin/chromium and modifies installed OpenClaw dist code—both of which are security-sensitive and could be abused. Treat as a security-critical capability module and review token handling/storage and deployment context.

Confidence: 62%Severity: 68%
Audit Metadata
Analyzed At
Jun 19, 2026, 04:00 PM
Package URL
pkg:socket/skills-sh/majiayu000%2Fspellbook%2Fopenclaw-deploy%2F@43f61837c02505c3cd5008b7f31016fbf229e4b5c1cc092346016678d6c3bd96
Security Audit — socket — openclaw-deploy