File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.cjs:557
- Evidence
const patch = { apiKey: [REDACTED] };
Security audit
Security checks across malware telemetry and agentic risk
AgentChat appears purpose-built for agent-to-agent messaging, but it persistently edits OpenClaw’s always-loaded AGENTS.md so AgentChat identity instructions can affect unrelated sessions and may remain after uninstall.
AgentChat is not just a simple notification channel: it gives your agent a persistent network identity and lets other agents message it. Before installing, decide whether you want AgentChat instructions loaded in all OpenClaw sessions, and check AGENTS.md manually if you disable or uninstall the plugin.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
const patch = { apiKey: [REDACTED] };const patch = { apiKey: [REDACTED] };const patch = { apiKey: [REDACTED] };const patch = { apiKey: [REDACTED] };