File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- src/plugin.ts:815
- Evidence
authToken: [REDACTED](api),
Security audit
Security checks across malware telemetry and agentic risk
ZhiHand appears to do what it claims—pair a mobile device with OpenClaw for screen reading, chat relay, and phone control—but it requires a sensitive OpenClaw gateway token and access to phone-screen/control data.
This looks internally consistent for a phone-control bridge. Before installing, make sure you actually want a paired ZhiHand mobile app to send prompts/media into your OpenClaw agent and allow the agent to read screenshots and send phone actions. Treat the OpenClaw gateway token like a password, prefer enabling the ZhiHand tools only for a dedicated mobile agent, and verify that gatewayResponsesEndpoint stays local unless you intentionally self-host it. Confidence is medium because some source files in the provided artifact were truncated or omitted from review.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source
authToken: [REDACTED](api),
"default": "http://127.0.0.1:18789/v1/responses"