File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/channel.js:346
- Evidence
password: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate Delta Chat bridge for OpenClaw, but it handles chat credentials, persistent message data, remote user access, and an external Delta Chat RPC binary.
Before installing, use a dedicated bot account or auto-created chatmail account, install deltachat-rpc-server from a trusted source, protect ~/.openclaw/deltachat-data and your OpenClaw config, keep configWrites off unless you need it, and configure allowlists/pairing for any agent that can perform sensitive actions.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
password: [REDACTED],
password: [REDACTED],