critical
suspicious.dangerous_exec
- Location
- dist/runtime-entry-DFzuGKLG.js:1390
- Finding
- Shell command execution detected (child_process).
- Evidence
const proc = spawn("tailscale", args, { stdio: [
Openclaw Voice Call 2026.5.12 Beta.6.Tgz
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
Findings (6)
critical
suspicious.exposed_secret_literal
- Location
- dist/config-7w04YpHh.js:61
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
authToken: [REDACTED]()
critical
suspicious.exposed_secret_literal
- Location
- dist/config-compat-B0me39_4.js:78
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
if ([REDACTED]) legacyStreamingOpenAICompat.apiKey = [REDACTED];
critical
suspicious.exposed_secret_literal
- Location
- dist/plivo-B-a7KFoT.js:25
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
this.authToken = [REDACTED];
critical
suspicious.exposed_secret_literal
- Location
- dist/runtime-entry-DFzuGKLG.js:1687
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
authToken: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- dist/twilio-1OqbcXLL.js:187
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
this.authToken = [REDACTED];