File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/channel.js:140
- Evidence
const client = createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real Rocket.Chat integration, but it gives agents powerful admin, webhook, slash-command, and local-file upload abilities without enough built-in guardrails.
Install only if you intend to give an OpenClaw agent broad Rocket.Chat authority. Use a least-privilege bot account, avoid admin roles unless necessary, restrict who can message the bot, avoid exposing local-file upload to untrusted prompts, and review any webhook, slash-command, role, room, team, or asset-changing action before use.
65/65 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const client = createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });let authToken = [REDACTED];
return createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });const authToken = [REDACTED];
const authToken = [REDACTED]?.trim();
const client = createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });let authToken = [REDACTED] as string | undefined;
return createClient({ baseUrl, userId: account.userId, authToken: [REDACTED] });const authToken = [REDACTED];
const authToken = [REDACTED]?.trim();