File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:231
- Evidence
const apiKey = [REDACTED] || readAgntConfig()?.apiKey
Security audit
Security checks across malware telemetry and agentic risk
The package is a disclosed ClawHub/OpenClaw CLI whose file, network, token, and moderation capabilities match its stated purpose.
Install only if you want this CLI to manage ClawHub/OpenClaw skills and packages. Logging in stores an API token locally, and publish/sync commands can upload selected local files; review targets carefully before using --force or --yes.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED] || readAgntConfig()?.apiKey