Openclaw Matrix 2026.5.12 Beta.6.Tgz

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (22)

critical

suspicious.dangerous_exec

Location: src/matrix/deps.ts:71
Finding: Shell command execution detected (child_process).
Evidence: const proc = spawn(command, args, {

critical

suspicious.exposed_secret_literal

Location: src/channel.directory.test.ts:480
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: "[REDACTED]",

critical

suspicious.exposed_secret_literal

Location: src/channel.ts:338
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/cli.ts:182
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/config-schema.ts:56
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED]().optional(),

critical

suspicious.exposed_secret_literal

Location: src/matrix/client/config.ts:249
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED](matrix, "accessToken"),

critical

suspicious.exposed_secret_literal

Location: src/matrix/client/create-client.ts:37
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/client/shared.ts:39
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/client/storage.test.ts:307
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: "[REDACTED]",

critical

suspicious.exposed_secret_literal

Location: src/matrix/client/storage.ts:273
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/monitor/inbound-dedupe.ts:66
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/monitor/legacy-crypto-restore.ts:54
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/monitor/startup-verification.ts:52
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/probe.ts:53
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/sdk/crypto-bootstrap.test.ts:318
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: "[REDACTED]", // pragma: allowlist secret

critical

suspicious.exposed_secret_literal

Location: src/matrix/sdk/crypto-bootstrap.ts:117
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED]?.(),

critical

suspicious.exposed_secret_literal

Location: src/matrix/sdk/http-client.ts:22
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/matrix/sdk/recovery-key-store.ts:142
Finding: File appears to expose a hardcoded API secret or token.
Evidence: privateKey = [REDACTED](encodedPrivateKey);

critical

suspicious.exposed_secret_literal

Location: src/matrix/thread-bindings.ts:68
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: src/onboarding.ts:388
Finding: File appears to expose a hardcoded API secret or token.
Evidence: let accessToken = [REDACTED] ?? "";

critical

suspicious.exposed_secret_literal

Location: src/setup-config.ts:26
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const accessToken = [REDACTED]?.trim();

critical

suspicious.exposed_secret_literal

Location: src/setup-core.ts:35
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],