Back to plugin

Security audit

左手医生

Security checks across malware telemetry and agentic risk

Overview

This medical assistant is mostly purpose-aligned, but it persistently broadens OpenClaw tool permissions across all agents and can modify sensitive patient records, so it should be reviewed before installation.

Install only if you are comfortable sharing medical questions, reports, and patient-profile details with the Zoe service and the bound chat channel. Before using `/zoe-start`, be aware that the plugin may modify OpenClaw tool permissions for all agents; prefer a version that asks before changing configuration and confirms any patient update/delete/reset action.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/dingtalk-stream.js:131
Evidence
clientSecret: [REDACTED][normalizedAccountId].clientSecret ?? channelConfig.clientSecret,