Openclaw Bluebubbles 2026.5.7.Tgz

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (7)

critical

suspicious.dangerous_exec

Location: dist/monitor-processing-Dy-LY2QQ.js:548
Finding: Shell command execution detected (child_process).
Evidence: const match = PART_INDEX_REPLY_TO_ID_PATTERN.exec(trimmed);

critical

suspicious.exposed_secret_literal

Location: dist/catchup-lsNTIuSa.js:195
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/channel-BSIXOcHe.js:152
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const password = [REDACTED](account.config.password);

critical

suspicious.exposed_secret_literal

Location: dist/channel.runtime-ZppuKLfQ.js:380
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/config-schema-a7F7uzDv.js:67
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED]().optional(),

critical

suspicious.exposed_secret_literal

Location: dist/monitor-processing-Dy-LY2QQ.js:1281
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const password = [REDACTED](account.config.password);

critical

suspicious.exposed_secret_literal

Location: dist/probe-B4I0cEVm.js:163
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const password = [REDACTED]({