Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Content
const AUTHORIZATION = [REDACTED];
Aigroup Lead Discovery Openclaw Release
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The lead-discovery purpose is coherent, but the bundle includes under-disclosed bridge helpers that can use local OpenClaw credentials, send MCP data to remote services, and write debug logs.
Install only if you are comfortable with optional Tianyancha/PrimeMatrix bridge code being present. Before using any bridge helper, review which OpenClaw credentials it reads, use scoped provider keys, confirm the remote URL, and disable or secure debug logs.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI09: Human-Agent Trust Exploitation
Medium
What this means
A user may install the package believing it contains only portable skill instructions, while credential-using bridge code is also present in the bundle.
Why it was flagged
The provided manifest and code file list include scripts/mcp_compat Tianyancha and PrimeMatrix bridge helpers, so this statement under-describes the shipped network/credential helper surface.
Skill content
The Hub release intentionally excludes optional local bridge helpers and focuses on portable skills.
Recommendation
Update the documentation and metadata to clearly disclose the included bridge helpers, or remove them from the Hub bundle if they are not intended to ship.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
If the bridge is run, it can use the user's configured provider credentials to access Tianyancha services.
Why it was flagged
The bridge reads local OpenClaw provider configuration and API key/authorization values, while the registry metadata declares no required credentials or config paths.
Skill content
provider = providers.get("tianyancha") or {}
url = provider.get("baseUrl") if isinstance(provider.get("baseUrl"), str) else ""
auth = provider.get("apiKey") if isinstance(provider.get("apiKey"), str) else ""
...
AUTHORIZATION = SETTINGS["authorization"]Recommendation
Require explicit setup for these credentials, document exactly which config keys are read, and advise users to use scoped, revocable API keys.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Company names, tool arguments, and other MCP message content may be sent to the configured remote service if the bridge is used.
Why it was flagged
The bridge posts MCP payloads to a configured remote URL with authorization, and for unhandled messages forwards the original JSON-RPC message rather than enforcing a narrow local allowlist.
Skill content
const response = await fetch(REMOTE_URL, {
method: "POST",
headers,
body: JSON.stringify(payload),
});
...
const response = await remotePost(message, true);Recommendation
Constrain forwarded methods and arguments to the documented tools, and clearly tell users what data is sent to each remote provider.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Sensitive lead-discovery queries or provider responses could remain on disk after the task finishes.
Why it was flagged
The bridge logs full MCP input and output messages to a persistent /tmp file by default, which can store business-intelligence context outside the normal conversation.
Skill content
LOG_PATH = os.environ.get("CODEX_MCP_DEBUG_LOG", "/tmp/tianyancha_codex_bridge.log")
...
log(f"IN {json.dumps(message, ensure_ascii=False)}")
...
log(f"OUT {json.dumps(message, ensure_ascii=False)}")Recommendation
Make debug logging opt-in, redact sensitive payloads, and store logs with restrictive permissions or disable them by default.