@openclaw/zalouser
OpenClaw Zalo Personal Account plugin via native zca-js integration
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is used to pass environment to a child process spawn — standard CLI wrapper pattern, not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes QR code image data to a temp file — benign, stable pattern for this package. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 2026.3.13 | 3 / 0 | |
| 2026.3.12 | 3 / 0 | |
| 2026.3.11 | 3 / 0 | |
| 2026.3.10 | 3 / 0 | |
| 2026.3.7 | 3 / 0 | |
| 2026.3.2 | 2 / 0 | |
| 2026.3.1 | 1 / 0 | |
| 2026.2.25 | 1 / 0 | |
| 2026.2.24 | 1 / 0 | |
| 2026.2.23 | 1 / 1 | |
| 2026.2.22 | 1 / 1 | |
| 2026.2.21 | 1 / 1 | |
| 2026.2.19 | 1 / 1 | |
| 2026.2.17 | 1 / 1 | |
| 2026.2.15 | 1 / 1 | |
| 2026.2.14 | 1 / 1 | |
| 2026.2.13 | 1 / 1 | |
| 2026.2.12 | 1 / 1 | |
| 2026.2.9 | 1 / 1 | |
| 2026.2.6 | 2 / 1 | |
| 2026.2.2 | 2 / 1 | |
| 2026.2.1 | 2 / 1 | |
| 2026.1.29 | 2 / 0 |
v2026.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.1
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.25
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.24
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.23
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.22
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.21
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.19
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.17
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.15
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.14
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.13
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.12
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.9
4 findingsSpreading entire process.env into an object — may capture all secrets 24 | const spawnOpts: SpawnOptions = { 25 | cwd: options?.cwd, > 26 | env: { ...process.env }, 27 | stdio: ["pipe", "pipe", "pipe"], 28 | };
Spreading entire process.env into an object — may capture all secrets 83 | const spawnOpts: SpawnOptions = { 84 | cwd: options?.cwd, > 85 | env: { ...process.env }, 86 | stdio: "inherit", 87 | };
Spreading entire process.env into an object — may capture all secrets 156 | const spawnOpts: SpawnOptions = { 157 | cwd: options?.cwd, > 158 | env: { ...process.env }, 159 | stdio: ["pipe", "pipe", "pipe"], 160 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.6
4 findingsSpreading entire process.env into an object — may capture all secrets 23 | const spawnOpts: SpawnOptions = { 24 | cwd: options?.cwd, > 25 | env: { ...process.env }, 26 | stdio: ["pipe", "pipe", "pipe"], 27 | };
Spreading entire process.env into an object — may capture all secrets 82 | const spawnOpts: SpawnOptions = { 83 | cwd: options?.cwd, > 84 | env: { ...process.env }, 85 | stdio: "inherit", 86 | };
Spreading entire process.env into an object — may capture all secrets 160 | const spawnOpts: SpawnOptions = { 161 | cwd: options?.cwd, > 162 | env: { ...process.env }, 163 | stdio: ["pipe", "pipe", "pipe"], 164 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.2
4 findingsSpreading entire process.env into an object — may capture all secrets 23 | const spawnOpts: SpawnOptions = { 24 | cwd: options?.cwd, > 25 | env: { ...process.env }, 26 | stdio: ["pipe", "pipe", "pipe"], 27 | };
Spreading entire process.env into an object — may capture all secrets 82 | const spawnOpts: SpawnOptions = { 83 | cwd: options?.cwd, > 84 | env: { ...process.env }, 85 | stdio: "inherit", 86 | };
Spreading entire process.env into an object — may capture all secrets 160 | const spawnOpts: SpawnOptions = { 161 | cwd: options?.cwd, > 162 | env: { ...process.env }, 163 | stdio: ["pipe", "pipe", "pipe"], 164 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.2.1
4 findingsSpreading entire process.env into an object — may capture all secrets 23 | const spawnOpts: SpawnOptions = { 24 | cwd: options?.cwd, > 25 | env: { ...process.env }, 26 | stdio: ["pipe", "pipe", "pipe"], 27 | };
Spreading entire process.env into an object — may capture all secrets 82 | const spawnOpts: SpawnOptions = { 83 | cwd: options?.cwd, > 84 | env: { ...process.env }, 85 | stdio: "inherit", 86 | };
Spreading entire process.env into an object — may capture all secrets 160 | const spawnOpts: SpawnOptions = { 161 | cwd: options?.cwd, > 162 | env: { ...process.env }, 163 | stdio: ["pipe", "pipe", "pipe"], 164 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.1.29
4 findingsSpreading entire process.env into an object — may capture all secrets 27 | const spawnOpts: SpawnOptions = { 28 | cwd: options?.cwd, > 29 | env: { ...process.env }, 30 | stdio: ["pipe", "pipe", "pipe"], 31 | };
Spreading entire process.env into an object — may capture all secrets 89 | const spawnOpts: SpawnOptions = { 90 | cwd: options?.cwd, > 91 | env: { ...process.env }, 92 | stdio: "inherit", 93 | };
Spreading entire process.env into an object — may capture all secrets 166 | const spawnOpts: SpawnOptions = { 167 | cwd: options?.cwd, > 168 | env: { ...process.env }, 169 | stdio: ["pipe", "pipe", "pipe"], 170 | };
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.