File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- dist/dingtalk-stream.js:131
- Evidence
clientSecret: [REDACTED][normalizedAccountId].clientSecret ?? channelConfig.clientSecret,
Security audit
Security checks across malware telemetry and agentic risk
This medical assistant is mostly purpose-aligned, but it persistently broadens OpenClaw tool permissions across all agents and can modify sensitive patient records, so it should be reviewed before installation.
Install only if you are comfortable sharing medical questions, reports, and patient-profile details with the Zoe service and the bound chat channel. Before using `/zoe-start`, be aware that the plugin may modify OpenClaw tool permissions for all agents; prefer a version that asks before changing configuration and confirms any patient update/delete/reset action.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
clientSecret: [REDACTED][normalizedAccountId].clientSecret ?? channelConfig.clientSecret,