Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.mjs:603
- Evidence
const apiKey = config.apiKey || process.env.MURF_API_KEY;
Security audit
Openclaw Murf Plugin
Security checks across malware telemetry and agentic risk
Overview
This appears to be a disclosed Murf text-to-speech plugin; it needs a Murf API key and sends TTS text to Murf, but the provided artifacts do not show hidden, destructive, or unrelated behavior.
This is reasonable to install if you want Murf-backed TTS. Before enabling it, create a dedicated Murf API key, keep it out of source control, understand that TTS text is sent to Murf, and review any auto-TTS or @tts override settings so the plugin only speaks content you intend to send.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Static analysis
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.mjs:392
- Evidence
apiKey: [REDACTED]({
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.mjs.map:1
- Evidence
{"version":3,"file":"index.mjs","names":["trimToUndefined","asObject","asNumber"],"sources":["../src/errors.ts","../src/logger.ts","../src/falcon-client.ts",".....
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- src/config.ts:98
- Evidence
apiKey: [REDACTED]({
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- tests/live/murf.live.test.ts:58
- Evidence
apiKey: "[REDACTED]",
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- tests/unit/falcon-client.test.ts:331
- Evidence
const secretKey = "[REDACTED]";