TeamChat

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (9)

critical

suspicious.dangerous_exec

Location: scripts/check_open_source_clean.cjs:39
Finding: Shell command execution detected (child_process).
Evidence: return execFileSync('git', args, { encoding: 'utf8' }).trim();

critical

suspicious.dangerous_exec

Location: scripts/smoke.cjs:35
Finding: Shell command execution detected (child_process).
Evidence: const child = spawn(process.execPath, [serverFile], {

critical

suspicious.env_credential_access

Location: scripts/doctor.cjs:7
Finding: Environment variable access combined with network send.
Evidence: const openclawHome = process.env.OPENCLAW_HOME || path.join(os.homedir(), '.openclaw');

critical

suspicious.env_credential_access

Location: scripts/smoke.cjs:5
Finding: Environment variable access combined with network send.
Evidence: const PORT = Number(process.env.PORT || 18788);

critical

suspicious.exposed_secret_literal

Location: assets/js/core/app.js:55
Finding: File appears to expose a hardcoded API secret or token.
Evidence: this.authToken = [REDACTED];

critical

suspicious.exposed_secret_literal

Location: assets/js/services/api.js:13
Finding: File appears to expose a hardcoded API secret or token.
Evidence: this.authToken = [REDACTED]();

critical

suspicious.exposed_secret_literal

Location: public/assets/js/core/app.js:55
Finding: File appears to expose a hardcoded API secret or token.
Evidence: this.authToken = [REDACTED];

critical

suspicious.exposed_secret_literal

Location: public/assets/js/services/api.js:13
Finding: File appears to expose a hardcoded API secret or token.
Evidence: this.authToken = [REDACTED]();

critical

suspicious.exposed_secret_literal

Location: team_chat_login.html:630
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const password = [REDACTED]('password').value.trim();