ClawHub
Code Pluginsource linked

Find Myv0.3.0

OpenClaw plugin for macOS Find My friend locations. Shells out to the findmy CLI to drive FindMy.app via screen capture and Vision OCR. macOS-only. Install findmy first via `brew install omarshahine/tap/findmy-cli`.

findmy-cli·runtime findmy-cli·by @omarshahine
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:findmy-cli
Latest release: v0.3.0Download zip

Capabilities

Tags
executes-codehost:darwin-arm64host-os:darwinhost-arch:arm64host:darwin-x64host-arch:x64environment:declaredrequires:binarybinary:findmybinary:findmy-helperrequires:os-permissionos-permission:macos-screen-recordingartifact:npm-packnpm-mirror:available
configSchema
Yes
Executes code
Yes
Host targets
darwin-arm64darwin-x64
HTTP routes
0
Runtime ID
findmy-cli

Compatibility

Built With Open Claw Version
2026.4.15
Plugin Api Range
>=2026.3.23
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated Find My/OCR/location purpose matches much of the capability, but real-time or last-known friend location access is highly sensitive and should be tightly disclosed and controlled.
!
Instruction Scope
The exposed lookup tools can access broad or targeted person-location data without a clear per-call consent gate or user-facing confirmation.
Install Mechanism
Installation appears to be a normal package/plugin install, but the package depends on openclaw 2026.3.23, which the supplied scan reports as having known advisories.
!
Credentials
The plugin uses macOS screen-recording/OCR style access and a local Find My CLI path discovered from environment or PATH, which is powerful and under-scoped for such sensitive data.
!
Persistence & Privilege
No hidden persistence or exfiltration was shown, but executing a host binary with the agent process privileges and reading Find My data creates a high-impact privilege boundary.
Scan Findings in Context
[SDI-2] expected: Using a local CLI is plausibly part of the design, but trusting FINDMY_CLI_PATH or PATH without binary verification is a material supply-chain and host-integrity concern.
[SDI-2] expected: Executing the external binary is purpose-aligned for a CLI-backed integration, but it is high-impact because the binary can access sensitive location data and runs with host privileges.
[SQP-2] unexpected: Location lookup without explicit runtime confirmation is not adequately scoped for friend or person-specific Find My data.
[SQP-2] expected: Screen recording and OCR may be core functionality, but the metadata/docs need stronger privacy disclosure and consent expectations.
[SC4] unexpected: The vulnerable openclaw dependency is not required by the purpose and increases risk around a plugin that already handles sensitive permissions and executable behavior.
What to consider before installing
Install only if you intentionally want an agent to access Find My location information and you understand the macOS screen-recording/OCR exposure. Verify the Find My CLI binary path yourself, avoid relying on PATH discovery, and prefer waiting for a version with explicit per-call consent, stronger privacy disclosures, and a patched OpenClaw dependency.
dist/index.js:56
Shell command execution detected (child_process).
src/index.ts:9
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/omarshahine/findmy-cli
Commit
fc3f6243a778
Tag
v0.3.0
Provenance
No
Scan status
suspicious

Tags

latest
0.3.0