clawsec-suite
Audited by Socket on May 16, 2026
2 alerts found:
AnomalySecurityThis file is an installer/enabler that creates persistence by copying bundled hook code into ~/.openclaw/hooks/<HOOK_NAME> and enabling it via the `openclaw` CLI. The snippet itself does not show overt malware behaviors (no network, no obfuscation, no credential theft), but it materially increases risk by delegating execution to an installed hook whose contents are not shown here and by relying on a PATH-resolved external CLI. Review the bundled hook implementation files and verify the provenance/integrity of both the hook payload and the `openclaw` binary.
No clear evidence of classic malware (e.g., backdoor, credential theft, or data exfiltration) is present in the provided snippet. However, the code has significant security/supply-chain risk: it executes 'npx clawhub@latest install ...' (a non-deterministic, runtime-fetched dependency) and it includes an explicit option to bypass feed signature verification (CLAWSEC_ALLOW_UNSIGNED_FEED=1). Additionally, high-risk advisories appear to influence confirmation/UX rather than hard-block installation, increasing operational risk if misused or misconfigured.