File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:136
- Evidence
apiKey: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This plugin does broad governance of OpenClaw tool calls and sends tool-call metadata to a configured DashClaw service, but that behavior is clearly disclosed and matches its stated purpose.
Before installing, confirm you trust the configured DashClaw instance and understand that it will receive metadata about every tool call and may block or pause actions for approval. Store the API key securely, prefer environment variables or a secrets manager, and use fail-closed only if you want governance outages to stop tool execution.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
apiKey: [REDACTED],
apiKey: [REDACTED],