openclaw-deck
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill instructions in SKILL.md direct the agent to execute
npm installandnpm run dev. These commands trigger local process execution for the Vite development server. - [EXTERNAL_DOWNLOADS] (LOW): Running
npm installdownloads multiple third-party packages from the public npm registry. The listed dependencies in package.json (React, Zustand, Vite) are standard industry libraries, but the process inherently introduces supply chain risk. - [CREDENTIALS_UNSAFE] (INFO): The application logic in App.tsx and gateway-client.ts allows authentication tokens to be passed via URL parameters (
?token=...). While common for local development tools, this can lead to token exposure in browser history or logs.
Audit Metadata