File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- README.md:28
- Evidence
export VOLCENGINE_REALTIME_ACCESS_KEY="[REDACTED]"
Security audit
Security checks across malware telemetry and agentic risk
The package is a coherent ClawHub CLI/admin tool with disclosed registry, local install, publishing, and moderation capabilities that fit its stated purpose.
Install this only if you intend to use ClawHub registry workflows. Review commands carefully before using publish, delete, transfer, moderation, or admin email features, and protect any stored ClawHub token like other account credentials.
52/52 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
export VOLCENGINE_REALTIME_ACCESS_KEY="[REDACTED]"