Back to plugin

Security audit

chrome-openclaw-sider

Security checks across malware telemetry and agentic risk

Overview

This Sider channel plugin is broadly coherent, but it sends sensitive chat, tool, and attachment data to Sider with broader capture and less user control than the documentation fully explains.

Install only if you trust Sider with the conversations, assistant outputs, tool inputs/results, command output, and attachments from Sider-driven OpenClaw sessions. Avoid using it in sessions that may expose secrets or sensitive local files, prefer the manual install path if you want reviewability, and review the persisted token in ~/.openclaw/openclaw.json after pairing.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/auth.js:99
Evidence
Authorization: [REDACTED](params.authorization),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/channel-auto-title.js:30
Evidence
const authorization = [REDACTED]?.trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/channel-util.js:203
Evidence
Authorization: [REDACTED](params.authorization),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/inbound-media.js:35
Evidence
headers.Authorization = [REDACTED](params.token);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/media-upload.js:618
Evidence
headers.Authorization = [REDACTED](params.authorization);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/setup-core.js:240
Evidence
Authorization: [REDACTED](pairingToken),