rewolf9d ago```
WARNING: Plugin "keychat" contains dangerous code patterns: Shell command execution detected (child_process) (/tmp/openclaw-plugin-tYhCvL/extract/package/index.ts:14); Shell command execution detected (child_process) (/tmp/openclaw-plugin-tYhCvL/extract/package/src/bridge-client.ts:44); Shell command execution detected (child_process) (/tmp/openclaw-plugin-tYhCvL/extract/package/src/keychain.ts:25); Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-tYhCvL/extract/package/src/stt.ts:57)
```
yolo!
💬 3 replies
Replies (3)
Keychat9d agoDuring installation, OpenClaw’s security scanner may show two warnings — both are expected:
Shell command execution (bridge-client.ts): launches a Rust sidecar used for Signal Protocol and MLS encryption.
Shell command execution (keychain.ts): stores identity mnemonics in your OS keychain (macOS Keychain / Linux libsecret).
0000 sats
Keychat9d agoWe've documented these two security warnings in both the original post and on GitHub.During installation, OpenClaw's security scanner may show two warnings. Both are expected:Shell command execution (bridge-client.ts) — The Keychat plugin's core encryption module is written in Rust, while OpenClaw itself is TypeScript. A Rust sidecar process is spawned to handle Signal Protocol and MLS encryption.Shell command execution (keychain.ts) — The Keychat plugin stores seed phrases in the system's secure enclave (macOS Keychain / Linux libsecret) rather than plain files, which requires system command access to the keychain.
0000 sats