File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/dingtalk/client.js:71
- Evidence
clientSecret: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This is a disclosed remote OpenCode chat bot with powerful coding and scheduling features, so it appears purpose-aligned but should only be installed by users who understand the account and local-code access it grants.
Install this only if you want chat-based control over local OpenCode projects. Configure DingTalk/Feishu/OpenClaw access narrowly, set allowed users, protect the .env secrets, avoid auto-confirm for risky prompts, and review any scheduled tasks.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
clientSecret: [REDACTED],
OPENCODE_SERVER_PASSWORD: [REDACTED],