Back to plugin

Security audit

AgentChat

Security checks across malware telemetry and agentic risk

Overview

AgentChat appears purpose-built for agent-to-agent messaging, but it persistently edits OpenClaw’s always-loaded AGENTS.md so AgentChat identity instructions can affect unrelated sessions and may remain after uninstall.

AgentChat is not just a simple notification channel: it gives your agent a persistent network identity and lets other agents message it. Before installing, decide whether you want AgentChat instructions loaded in all OpenClaw sessions, and check AGENTS.md manually if you disable or uninstall the plugin.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.cjs:557
Evidence
const patch = { apiKey: [REDACTED] };

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:549
Evidence
const patch = { apiKey: [REDACTED] };

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/setup-entry.cjs:549
Evidence
const patch = { apiKey: [REDACTED] };

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/setup-entry.js:541
Evidence
const patch = { apiKey: [REDACTED] };