critical
suspicious.exposed_secret_literal
- Location
- tests/unit/security.test.ts:202
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const { redacted } = redactSecrets('Authorization: Bearer [REDACTED]');
Policy Layer (CBS) + Security Layers
AdvisoryAudited by Static analysis on May 16, 2026.
Overview
Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source, suspicious.nonstandard_network
Findings (3)
warn
suspicious.install_untrusted_source
- Location
- config/openclaw.json:78
- Finding
- Install source points to URL shortener or raw IP.
- Evidence
"baseUrl": "http://127.0.0.1:11434"
warn
suspicious.nonstandard_network
- Location
- tests/integration/hook-simulation.test.ts:187
- Finding
- WebSocket connection to non-standard port detected.
- Evidence
const ws = new WebSocket('ws://127.0.0.1:18789/acp', {