critical
suspicious.env_credential_access
- Location
- index.js:173
- Finding
- Environment variable access combined with network send.
- Evidence
const v = process.env[envVar];
Memory (LanceDB, per-Agent)
AdvisoryAudited by Static analysis on May 20, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (4)
critical
suspicious.exposed_secret_literal
- Location
- index.js:469
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
apiKey: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- lib/providers/embedding-openai.js:45
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]();
critical
suspicious.exposed_secret_literal
- Location
- lib/providers/openclaw-memory-embedding-adapters.js:236
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED](options.remote?.apiKey, "remote.apiKey") ||