OrgX for OpenClaw

Security checks across static analysis, malware telemetry, and agentic risk

Overview

OrgX appears aligned with its memory and coordination purpose, but it adds persistent cross-agent state and broad local command execution that users should review carefully before installing.

Before installing, decide whether you want OrgX to store and sync organizational context across agents and sessions. Use it only in trusted workspaces, review the local credential/state files, verify dashboard and terminal-command protections, and enable MCP auto-configuration, managed agent suite provisioning, telemetry, or watchdog behavior only if you need them.

SkillSpector

By NVIDIA

SkillSpector has not run for this release. Legacy ClawScan findings remain available under Risk analysis.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: const child = spawn(input.command, input.args, {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: const child = spawn("node", [scriptPath], {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: const result = spawnSync(trimmed, ["--version"], {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: const child = spawn(input.command, input.args, {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: cp.exec(command, (error) => {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: exec(cmd, (err) => {

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Skill content: execFileSync(command, args, {

Env credential access

Critical

Finding: Environment variable access combined with network send.
Skill content: process.env.ORGX_DISABLE_MCP_CLIENT_AUTOCONFIG !== "1") {

Env credential access

Critical

Finding: Environment variable access combined with network send.
Skill content: const raw = process.env[name];

Env credential access

Critical

Finding: Environment variable access combined with network send.
Skill content: const raw = (process.env[name] ?? "").trim();

Env credential access

Critical

Finding: Environment variable access combined with network send.
Skill content: process.env.ORGX_LLM_API_KEY ?? "",

Env credential access

Critical

Finding: Environment variable access combined with network send.
Skill content: const explicitEnable = isTruthyEnv(process.env.ORGX_TELEMETRY_ENABLED);

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Skill content: apiKey: [REDACTED],

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Skill content: apiKey: [REDACTED],

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Skill content: const apiKey = [REDACTED];

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Skill content: const apiKey = [REDACTED]();

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

High

What this means

If this route or dashboard action is reachable by the wrong actor or agent flow, it could run local shell commands with the user's privileges.

Why it was flagged

A live-terminal HTTP route executes a command string. The README says terminal and CLI child-process actions require explicit runtime or dashboard actions, but the provided artifacts do not show command allowlisting, authorization boundaries, or per-command approval.

Skill content

exec(cmd, (err) => {

Recommendation

Install only if you trust the plugin and can verify dashboard access controls, command scoping, and approval behavior; disable or avoid live terminal/automation features if not needed.

ASI06: Memory and Context Poisoning

Medium

What this means

Sensitive, incorrect, or maliciously-influenced context could persist and affect later agents or workflows.

Why it was flagged

The core feature is persistent shared memory reused across agents and sessions. That is purpose-aligned, but the artifacts do not fully show retention, deletion, review, or trust-boundary controls for information that persists and influences future agents.

Skill content

Agents read and write to a shared entity graph... Every session. Every agent. Every tool. Forever.

Recommendation

Use it only for workspaces where persistent shared memory is desired; review what is stored, separate sensitive projects, and look for controls to delete or scope memory.

ASI03: Identity and Privilege Abuse

Low

What this means

Anyone or any process that can read the credential file may be able to access the connected OrgX account or workspace.

Why it was flagged

OrgX credentials are expected for the service integration and are disclosed, but file-based credential storage is sensitive and should be protected.

Skill content

Browser pairing and manual API-key setup both store credentials locally on your machine... The current credential store is file-based rather than OS-keychain-backed.

Recommendation

Protect the local config directory, avoid sharing backups/logs that include it, and rotate the OrgX key if you suspect exposure.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Other configured agent clients may be able to read from or write to the shared OrgX context.

Why it was flagged

The local MCP bridge is purpose-aligned and auto-configuration is described as opt-in, but it connects multiple agent clients to shared organizational memory and actions.

Skill content

The plugin exposes a local bridge at `/orgx/mcp`. If you want Claude, Cursor, or Codex wired to that bridge automatically, you can explicitly enable that behavior in plugin config.

Recommendation

Enable MCP client auto-configuration only for trusted clients and confirm which tools can access the bridge.

ASI10: Rogue Agents

Low

What this means

OrgX may continue syncing or keeping gateway-related processes alive while the plugin is installed.

Why it was flagged

Background sync and watchdog behavior are disclosed and partly disableable, but they mean the plugin can keep operating beyond a single agent request.

Skill content

The plugin runs a background sync service as part of normal operation. It can also start a local gateway watchdog process to keep the OpenClaw gateway reachable; if you do not want that behavior, set `ORGX_DISABLE_GATEWAY_WATCHDOG=1`.

Recommendation

Review and set the documented disable flags if you do not want persistent background behavior.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

A user may underestimate how much executable code is installed with the skill/plugin.

Why it was flagged

The registry/install metadata under-describes that the reviewed package includes executable plugin code. This is not malicious by itself, but users should not treat it as a documentation-only skill.

Skill content

No install spec — this is an instruction-only skill. ... Code file presence 261 code file(s) ... Capability signals - executes-code

Recommendation

The publisher should align metadata with the executable plugin behavior; users should review the package as code, not just instructions.