openclaw-tools

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs state the ACP backend enforces a plugin-local install that will run at startup if missing — it auto-runs "npm install --omit=dev --no-save acpx@" to fetch and install the acpx binary at runtime, which downloads and executes remote code required for ACP sessions.