File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:231
- Evidence
const apiKey = [REDACTED] || readAgntConfig()?.apiKey
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate ClawHub CLI, but it can publish local skill folders in a surprising default path when a token is stored.
Install only if you intend to use this CLI for ClawHub publishing and package management. Avoid running it with no subcommand in tokened CI or headless environments; prefer explicit commands such as `clawhub sync --dry-run`, review the detected files, and use `.clawhubignore` for anything that must not be uploaded.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED] || readAgntConfig()?.apiKey