File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/auth.js:99
- Evidence
Authorization: [REDACTED](params.authorization),
Security audit
Security checks across malware telemetry and agentic risk
This Sider channel plugin is broadly coherent, but it sends sensitive chat, tool, and attachment data to Sider with broader capture and less user control than the documentation fully explains.
Install only if you trust Sider with the conversations, assistant outputs, tool inputs/results, command output, and attachments from Sider-driven OpenClaw sessions. Avoid using it in sessions that may expose secrets or sensitive local files, prefer the manual install path if you want reviewability, and review the persisted token in ~/.openclaw/openclaw.json after pairing.
66/66 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
Authorization: [REDACTED](params.authorization),
const authorization = [REDACTED]?.trim();
Authorization: [REDACTED](params.authorization),
headers.Authorization = [REDACTED](params.token);
headers.Authorization = [REDACTED](params.authorization);
Authorization: [REDACTED](pairingToken),