File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- dist/tools/search-stays.js:189
- Evidence
apiToken: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
Stayfinder appears to match its hotel-search purpose, but it stores a StayFinder token/email and sends your trip search details to StayFinder, so use it only if you trust that service.
Before installing, make sure you are comfortable enabling executable OpenClaw tools that contact StayFinder, storing a local StayFinder token, and sharing trip search details with that service. The provided artifacts do not show scraping, browser automation, destructive actions, or hidden data collection, but the redacted static token warning is worth confirming in the unredacted package if you want extra assurance.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
apiToken: [REDACTED],
api_token: '[REDACTED]',
apiToken: [REDACTED],