Openclaw Msteams 2026.5.12 Beta.6.Tgz

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Findings (7)

critical

suspicious.env_credential_access

Location: dist/graph-users-9uQJepqr.js:1068
Finding: Environment variable access combined with network send.
Evidence: const env = params.env ?? process.env;

critical

suspicious.exposed_secret_literal

Location: dist/graph-users-9uQJepqr.js:610
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/oauth-BWJyilR1.js:83
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/oauth.token-xxpoLWy5.js:26
Finding: File appears to expose a hardcoded API secret or token.
Evidence: client_secret: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/setup-surface-BLkFQYIQ.js:286
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED]

critical

suspicious.exposed_secret_literal

Location: dist/src-CP7V_TeZ.js:1089
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

warn

suspicious.potential_exfiltration

Location: dist/graph-users-9uQJepqr.js:1130
Finding: Sensitive-looking file read is paired with a network send.
Evidence: const content = readFileSync(resolveDelegatedTokenPath(), "utf8");