File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:1046
- Evidence
accessToken = [REDACTED];
Security audit
Security checks across malware telemetry and agentic risk
The plugin mostly matches its Q-Claw/WMS/ERP purpose, but it ships a client secret, stores auth tokens locally, and sends token-bearing requests to a default HTTP backend.
Install only if you trust the Q-Claw backend and deployment environment. Before use, replace the packaged client secret, require HTTPS for the backend URL, understand that WMS/ERP queries and context are sent to that backend, and review where the plugin stores local authorization tokens.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
accessToken = [REDACTED];
const raw = fs.readFileSync(AUTH_STATE_FILE, "utf-8");