File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/accounts-CF4oK_HZ.mjs:218
- Evidence
const clientSecret = [REDACTED](cfg?.clientSecret, "channels.dingtalk-connector.clientSecret");
Security audit
Security checks across malware telemetry and agentic risk
This looks like a legitimate DingTalk connector, but it can act as you in DingTalk and its default-open chat access should be reviewed before use.
Install only if you are comfortable letting OpenClaw act through your DingTalk authorization. Before using it in any company workspace, restrict dmPolicy/groupPolicy with allowlists, keep mention requirements on, require confirmation for destructive actions, and protect the ~/.openclaw credential files.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
const clientSecret = [REDACTED](cfg?.clientSecret, "channels.dingtalk-connector.clientSecret");
clientSecret: [REDACTED],
clientSecret: [REDACTED]().optional(),
...(creds?.clientSecret && { DWS_CLIENT_SECRET: [REDACTED] }),const clientSecret = [REDACTED](cfg?.clientSecret, "channels.dingtalk-connector.clientSecret");
clientSecret: [REDACTED]().optional(),
clientSecret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],