Back to plugin

Security audit

Rocketchat Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Rocket.Chat integration, but it gives agents powerful admin, webhook, slash-command, and local-file upload abilities without enough built-in guardrails.

Install only if you intend to give an OpenClaw agent broad Rocket.Chat authority. Use a least-privilege bot account, avoid admin roles unless necessary, restrict who can message the bot, avoid exposing local-file upload to untrusted prompts, and review any webhook, slash-command, role, room, team, or asset-changing action before use.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/channel.js:140
Evidence
const client = createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/rocketchat/accounts.js:33
Evidence
let authToken = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/rocketchat/actions.js:16
Evidence
return createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/rocketchat/monitor.js:343
Evidence
const authToken = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/rocketchat/send.js:103
Evidence
const authToken = [REDACTED]?.trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/channel.ts:171
Evidence
const client = createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/rocketchat/accounts.ts:112
Evidence
let authToken = [REDACTED] as string | undefined;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/rocketchat/actions.ts:29
Evidence
return createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/rocketchat/monitor.ts:442
Evidence
const authToken = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/rocketchat/send.ts:137
Evidence
const authToken = [REDACTED]?.trim();