@openclaw/discord
OpenClaw Discord channel plugin
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to bundling multi-platform native binaries; consistent with the package's purpose. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are @snazzah/davey napi-rs platform builds for @discordjs/voice; expected for this Discord plugin package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are platform-specific prebuilt .node binaries and wasm runtime; expected for this native-binding bundle. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding a Discord snowflake/token component to extract numeric ID — legitimate protocol parsing. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in a Proxy handler inside a test mock — standard JS pattern, not obfuscation. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All instances are in test files using 127.0.0.1 for local proxy testing — not production network calls. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Used in a test helper to inject a temp dir env var; not in production code. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI with SLSA attestation; strong supply chain integrity signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): vincentkoc added alongside CI publisher transition; consistent with org-level maintainer handoff. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher with SLSA provenance is a legitimate CI/CD migration pattern. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 2026.6.1 | 6 / 0 | |
| 2026.5.28 | 6 / 0 | |
| 2026.5.27 | 7 / 0 | |
| 2026.5.26 | 7 / 0 | |
| 2026.5.22 | 7 / 0 | |
| 2026.5.20 | 7 / 2 | |
| 2026.5.19 | 7 / 2 | |
| 2026.5.18 | 7 / 2 | |
| 2026.5.12 | 7 / 2 | |
| 2026.5.7 | 7 / 2 | |
| 2026.5.6 | 7 / 2 | |
| 2026.5.5 | 7 / 2 | |
| 2026.5.4 | 7 / 2 | |
| 2026.5.3 | 7 / 2 | |
| 2026.5.2 | 7 / 2 | |
| 2026.3.13 | 0 / 0 | |
| 2026.3.12 | 0 / 0 | |
| 2026.3.11 | 0 / 0 | |
| 2026.3.10 | 0 / 0 | |
| 2026.3.7 | 0 / 0 | |
| 2026.3.2 | 0 / 0 | |
| 2026.3.1 | 0 / 0 | |
| 2026.2.25 | 0 / 0 | |
| 2026.2.24 | 0 / 0 | |
| 2026.2.23 | 0 / 1 | |
| 2026.2.22 | 0 / 1 | |
| 2026.2.21 | 0 / 1 | |
| 2026.2.19 | 0 / 1 | |
| 2026.2.17 | 0 / 1 | |
| 2026.2.15 | 0 / 1 | |
| 2026.2.14 | 0 / 1 | |
| 2026.2.13 | 0 / 1 | |
| 2026.2.12 | 0 / 1 | |
| 2026.2.9 | 0 / 1 | |
| 2026.2.6 | 0 / 1 | |
| 2026.2.2 | 0 / 1 | |
| 2026.2.1 | 0 / 1 | |
| 2026.1.29 | 0 / 0 |
v2026.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.26
2 findingsPackage contains compiled binaries that could be backdoors: • node_modules/@snazzah/davey-android-arm-eabi/davey.android-arm-eabi.node • node_modules/@snazzah/davey-android-arm64/davey.android-arm64.node • node_modules/@snazzah/davey-darwin-arm64/davey.darwin-arm64.node • node_modules/@snazzah/davey-darwin-x64/davey.darwin-x64.node • node_modules/@snazzah/davey-freebsd-x64/davey.freebsd-x64.node • node_modules/@snazzah/davey-linux-arm-gnueabihf/davey.linux-arm-gnueabihf.node • node_modules/@snazzah/davey-linux-arm64-gnu/davey.linux-arm64-gnu.node • node_modules/@snazzah/davey-linux-arm64-musl/davey.linux-arm64-musl.node • node_modules/@snazzah/davey-linux-x64-gnu/davey.linux-x64-gnu.node • node_modules/@snazzah/davey-linux-x64-musl/davey.linux-x64-musl.node ... and 3 more
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.22
2 findingsPackage contains compiled binaries that could be backdoors: • node_modules/@snazzah/davey-android-arm-eabi/davey.android-arm-eabi.node • node_modules/@snazzah/davey-android-arm64/davey.android-arm64.node • node_modules/@snazzah/davey-darwin-arm64/davey.darwin-arm64.node • node_modules/@snazzah/davey-darwin-x64/davey.darwin-x64.node • node_modules/@snazzah/davey-freebsd-x64/davey.freebsd-x64.node • node_modules/@snazzah/davey-linux-arm-gnueabihf/davey.linux-arm-gnueabihf.node • node_modules/@snazzah/davey-linux-arm64-gnu/davey.linux-arm64-gnu.node • node_modules/@snazzah/davey-linux-arm64-musl/davey.linux-arm64-musl.node • node_modules/@snazzah/davey-linux-x64-gnu/davey.linux-x64-gnu.node • node_modules/@snazzah/davey-linux-x64-musl/davey.linux-x64-musl.node ... and 3 more
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.12
2 findingsThis version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.7
2 findingsThis version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.6
2 findingsThis version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.5
2 findingsThis version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.4
2 findingsThis version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.3
2 findingsThis version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.2
3 findingsThis version was published by a different npm account than previous versions on 2026-05-02. This could indicate a legitimate maintainer transition or an account compromise.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/openclaw/openclaw/blob/8842a5bd43a6874c86645d00dab80611a94d5850/src/monitor/model-picker-preferences.test.ts#L15 13 | const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-model-picker-")); 14 | tempDirs.push(dir); > 15 | return { ...process.env, OPENCLAW_STATE_DIR: dir }; 16 | } 17 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.1.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.