Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.ts:72
- Evidence
return process.env.OPENCLAW_STATE_DIR ?? join(process.env.HOME ?? "/root", ".openclaw");
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears to do what it claims: read OpenClaw session token usage and send a small context-usage footer to Telegram.
This looks internally coherent for a context-meter plugin. Before installing, be aware that it can read OpenClaw session state files to find token counts and can send messages using your Telegram bot token, because those are necessary for its advertised function. Prefer installing from the trusted registry/source and consider pinning the version if following the manual npm instructions.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.potential_exfiltration
return process.env.OPENCLAW_STATE_DIR ?? join(process.env.HOME ?? "/root", ".openclaw");
const sessions: Record<string, any> = JSON.parse(readFileSync(sessionsFile, "utf8"));