Openclaw Qqbot 2026.5.12 Beta.6.Tgz

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (8)

critical

suspicious.env_credential_access

Location: dist/gateway-Cs3-_on9.js:76
Finding: Environment variable access combined with network send.
Evidence: const home = process.env.HOME || process.env.USERPROFILE || "";

critical

suspicious.env_credential_access

Location: dist/sender-p-B14eLG.js:1325
Finding: Environment variable access combined with network send.
Evidence: const isDebug = () => !!process.env.QQBOT_DEBUG;

critical

suspicious.exposed_secret_literal

Location: dist/channel-CC2YO9fj.js:458
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED]

critical

suspicious.exposed_secret_literal

Location: dist/config-schema-DFcjQw73.js:46
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret = [REDACTED];

critical

suspicious.exposed_secret_literal

Location: dist/gateway-Cs3-_on9.js:5420
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED]

critical

suspicious.exposed_secret_literal

Location: dist/narrowing-BoieBTIU.js:9
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/resolve-D_06fV6-.js:225
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/sender-p-B14eLG.js:1769
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED]