File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/attachments/bot-framework.js:35
- Evidence
bearerToken: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This Teams plugin appears functional, but it gives agents broad Microsoft Graph powers including chat search, message reads, participant changes, and group renaming.
Install only if you intend to let OpenClaw operate with broad Microsoft Teams and Graph authority. Before enabling it in a tenant, restrict Graph permissions to the exact features you need, keep groupPolicy and dmPolicy allowlisted, disable or deny administrative actions unless explicitly required, and treat persisted delegated tokens as sensitive credentials.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
bearerToken: [REDACTED],
accessToken: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],
client_secret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],
bearerToken: [REDACTED],
accessToken: [REDACTED],
clientSecret: [REDACTED],
client_secret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],
clientSecret: [REDACTED],