Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Content
apiKey: [REDACTED],
AXON
Security checks across static analysis, malware telemetry, and agentic risk
Overview
AXON is a coherent real-money wallet/payment plugin, but its operator mode can move funds, issue keys, and freeze wallets without an artifact-shown confirmation boundary, so it needs review before use.
Install only if you intend to connect OpenClaw to AXON for real-money wallet/payment operations. Keep runtime and operator profiles separate, do not place an operatorDecisionApiKey in worker agents, require human review for all operator actions, and protect any returned runtime keys like passwords.
Publisher note
AXON is a real-money x402 and workforce-wallet plugin. The package intentionally exposes two separated profiles: runtime and operator. Runtime profiles use wallet-scoped decisionApiKey credentials and cannot call operator tools. Operator profiles require surfaceMode="operator" plus an org-wide operatorDecisionApiKey and are intended only for trusted, human-supervised control-plane use. Runtime spend is bounded by AXON mandates, budgets, allowlists, approval thresholds, and wallet-scoped keys. AXON backend rejects non-wallet-bound operator/static keys from runtime spend paths. Operator tools can create wallets, update mandates, fund wallets, issue/revoke keys, and trigger emergency stops. Deploy operator mode only in restricted OpenClaw profiles, keep operatorDecisionApiKey out of worker agents, and require human approval for funding, mandate changes, key issuance/revocation, and emergency stop actions. Runtime keys returned by the operator flow are one-time plaintext secrets. Store them only in the intended worker profile, avoid sharing outputs containing keys, and revoke immediately if exposed.
Static analysis
Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
- Content
"placeholder": "http://127.0.0.1:3030",
VirusTotal
47/47 vendors flagged this plugin as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
A worker profile can make paid external service requests through the configured AXON wallet policy.
Why it was flagged
The runtime tool is intended to perform external HTTP requests and x402 auto-payment through AXON governance. This is purpose-aligned, but users should understand that it can send request data and trigger paid provider calls.
Skill content
description: "Governed HTTP fetch with x402 auto-pay, SSAR decisions, and forensic receipt output."
Recommendation
Use wallet-scoped runtime keys, set strict AXON budgets/allowlists, and review spending receipts and approval thresholds.
#
ASI02: Tool Misuse and Exploitation
High
What this means
If an operator profile is available to an autonomous agent, mistakes or prompt manipulation could fund wallets, change spending controls, revoke keys, or freeze organizational resources.
Why it was flagged
The operator profile exposes direct financial and organization-control actions. The artifacts describe surface separation, but the provided code/docs do not show a built-in per-call human confirmation gate for these high-impact actions.
Skill content
`axon_operator_fund_pocket` | Move USDC from organization vault to a bounded worker wallet. ... `axon_operator_emergency_stop` | Freeze a pocket, department, or organization.
Recommendation
Deploy operator mode only in a restricted, human-supervised profile; require explicit user approval for funding, mandate changes, key issuance/revocation, and emergency stops.
#
ASI03: Identity and Privilege Abuse
High
What this means
Users may not realize before installation that the plugin needs high-value API keys capable of real-money wallet operations.
Why it was flagged
The skill requires separate runtime and operator credentials, including an org-wide operator credential, while the registry metadata declares no primary credential or required configuration. That under-declares an important permission boundary.
Skill content
Runtime tools use only `decisionApiKey`. Operator tools use only `operatorDecisionApiKey`.
Recommendation
The package should declare its credential/config requirements clearly in metadata, and users should keep operatorDecisionApiKey out of worker profiles.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
A returned runtime key could be exposed if the agent transcript, logs, or generated profile patch are shared.
Why it was flagged
Issuing a runtime key intentionally returns a plaintext credential and embeds it in worker OpenClaw config. This is expected for the workflow, but it places a secret in the tool result/context.
Skill content
const plaintext = readObjectString(response, "plaintext"); ... decisionApiKey: plaintext
Recommendation
Treat issued runtime keys as secrets, store them only in the intended worker profile, and revoke them immediately if exposed.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
Operator tool arguments and results are sent to the configured Decision API service.
Why it was flagged
Operator actions are relayed as JSON-RPC/MCP-style tool calls to the configured AXON Decision API. This is consistent with the plugin design, but it means wallet and operator action details leave the local agent environment.
Skill content
this.http.request("POST", "/v1/operator/mcp", { jsonrpc: "2.0", ... params: { name: toolName, arguments: args } })Recommendation
Use only a trusted Decision API URL, prefer HTTPS outside local development, and avoid sending operator actions through untrusted profiles or networks.