File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- src/config.ts:63
- Evidence
const password = [REDACTED] ?? "";
Security audit
Security checks across malware telemetry and agentic risk
The package fits its multi-agent orchestration purpose, but it installs a persistent host plugin and can persist task content to external systems with some under-scoped data-sharing controls.
Review this before installing on a sensitive host. Use a dedicated MariaDB database/user, a narrowly scoped Linear token, and keep VECNA disabled unless you explicitly want shared memory. Do not send secrets or sensitive business/customer data through operator objectives, specialist prompts, Linear ticket text, or VECNA fragments. Also treat the ClawHub metadata as incomplete: this package does execute runtime plugin/CLI code and activates on OpenClaw gateway startup.
65/65 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const password = [REDACTED] ?? "";
const bearer = [REDACTED](env);