Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Skill content
uiProcess = spawn('node', ['server.js'], {
WeCanBot Base
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real WeCanBot/OpenClaw orchestration plugin, but it asks for unsafe installation and includes broad runtime code-loading, local server, tool/gateway, and credential-handling behavior that users should review carefully.
Treat this as a powerful local orchestration plugin, not a simple prompt pack. Install only if you trust WeCanBot and are comfortable with a persistent local UI server, local auth-state use, dynamic app/workflow execution, and unsafe-install flags; test it in an isolated OpenClaw profile if possible.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
- Skill content
const listed = String(exec('openclaw', listArgs, {
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
- Skill content
const dynamicImport = new Function('url', 'return import(url)') as (url: string) => Promise<Record<string, unknown>>;
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
- Skill content
const dynamicImport = new Function('url', 'return import(url)') as (url: string) => Promise<Record<string, unknown>>;
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
- Skill content
const dynamicImportModule = new Function(
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
"use strict";(()=>{var a={};a.id=7371,a.ids=[7371],a.modules={261:a=>{a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1932:a=>{a.exports=requi...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
"use strict";(()=>{var a={};a.id=3374,a.ids=[3374],a.modules={261:a=>{a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1932:a=>{a.exports=requi...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
\`\`\``:b,subtype:"toolCall"})}}if("toolResult"===b&&void 0!==a.result&&null!==a.result){let b;(b="string"==typeof a.result?a.result.trim():JSON.stringify(a.res...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
exports.id=3445,exports.ids=[3445],exports.modules={6634:(a,b)=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});var c={indexOfUint8Array:function...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
Original Message: ${d}`);console.error(`Route ${b} errored during ${c}. These errors are normally ignored and may not prevent the route from prerendering but ar...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
`,"utf8")}function n(a=h.XP){let b=k(a),c=i(l(a).WECANBOT_SERVER_API_TOKEN);if(!c)throw Error(`WECANBOT_SERVER_API_TOKEN is required in ${b}`);return c}function...
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Skill content
process.env.WS_NO_BUFFER_UTIL = '1';
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Skill content
"use strict";(self.webpackChunk_N_E=self.webpackChunk_N_E||[]).push([[9397],{55:(e,t,n)=>{n.d(t,{B:()=>a});var r=n(2835),i=n(4294);let a={partial:!0,tokenize:fu...
Obfuscated code
Warn
- Finding
- Potential obfuscated payload detected.
- Skill content
(()=>{var a={};a.id=8974,a.ids=[8974],a.modules={261:a=>{"use strict";a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1708:a=>{"use strict";a....
Obfuscated code
Warn
- Finding
- Potential obfuscated payload detected.
- Skill content
"use strict";(self.webpackChunk_N_E=self.webpackChunk_N_E||[]).push([[9397],{55:(e,t,n)=>{n.d(t,{B:()=>a});var r=n(2835),i=n(4294);let a={partial:!0,tokenize:fu...
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
- Skill content
`,{mode:384}),this.identity=f,f}readStoredDeviceToken(){try{if(!e().existsSync(this.deviceAuthPath))return null;let a=JSON.parse(e().readFileSync(this.deviceAut...
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
- Skill content
const parsed = JSON.parse(fs.readFileSync(this.deviceAuthPath, 'utf8')) as DeviceAuthState;
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Installing this may run more code than a normal reviewed skill install would allow.
Why it was flagged
The official documented install path asks the user to bypass unsafe-install protections for a package that contains executable plugin code and a bundled server.
Skill content
openclaw plugins install clawhub:@wecanbot/base --dangerously-force-unsafe-install
Recommendation
Install only if you trust the publisher and source; avoid the curl-to-shell path unless you can inspect the script, and consider testing in a separate OpenClaw profile first.
What this means
Later app/task packages could cause the plugin to load and execute additional code if configuration points to them.
Why it was flagged
The task runtime can dynamically import configured module URLs instead of only loading fixed bundled code.
Skill content
if (/^(?:[a-z]+:)?\/\//i.test(trimmed) || /^[a-z]+:/i.test(trimmed)) { return trimmed; } ... const mod = await import(resolvedUrl);Recommendation
Only install trusted WeCanBot app packages, and the publisher should restrict dynamic imports to signed or allowlisted local packages.
What this means
If these routes are reachable with insufficient checks, they could allow powerful tool or gateway actions outside normal UI workflows.
Why it was flagged
The bundled UI includes debug tool-invocation and raw gateway API routes, which are broader escape-hatch surfaces than the base tools described in SKILL.md.
Skill content
"/api/debug/tools/invoke/route": "/api/debug/tools/invoke", ... "/api/gateway/raw/route": "/api/gateway/raw"
Recommendation
Before installing, verify that these endpoints require strong local/plugin authentication and user approval, or disable debug/raw routes in production use.
What this means
The plugin may use local device/auth identity and server tokens for pairing or account access.
Why it was flagged
The auth installer code knows how to read a local OpenClaw device identity file and can fall back to a WeCanBot cloud server, while registry metadata declares no credentials.
Skill content
const DEFAULT_OPENCLAW_DEVICE_IDENTITY_PATH = path.join(os.homedir(), '.clawsh', 'gateway-device.json'); ... const CLOUD_SERVER_URL = 'https://wecanbot.cloud';
Recommendation
Review files under ~/.clawsh before use, confirm which WeCanBot server you are connecting to, and revoke/rotate tokens if you uninstall or no longer trust the plugin.
What this means
A local background service will run while the plugin is active.
Why it was flagged
The plugin starts a local Node UI server as a registered service; SKILL.md also discloses that it will start a local Node UI process.
Skill content
uiProcess = spawn('node', ['server.js'], { cwd: UI_RUNTIME_DIR, ... PORT: '18788' ... })Recommendation
Stop or uninstall the plugin when not needed, and monitor local port 18788 if you are troubleshooting.
What this means
Attachments, generated artifacts, and task metadata may remain on disk and could include private information.
Why it was flagged
The package intentionally persists workspace files and metadata for later retrieval.
Skill content
store workspace files and sqlite metadata for `workspace_files`
Recommendation
Do not store secrets unless necessary, and periodically review or clean the WeCanBot/OpenClaw state directories.