File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:231
- Evidence
const apiKey = [REDACTED] || readAgntConfig()?.apiKey
Security audit
Security checks across malware telemetry and agentic risk
The package appears to be a coherent ClawHub registry client whose file, network, token, and install behaviors match its stated purpose.
Install if you want a CLI that can manage ClawHub skills and OpenClaw packages. Review commands before using publish, delete/moderation, token-printing, or force-install options, and protect the stored ClawHub token like any other API credential.
58/58 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED] || readAgntConfig()?.apiKey